Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5GOuTtZoQn.exe

Overview

General Information

Sample name:5GOuTtZoQn.exe
renamed because original name is a hash value
Original sample name:7fc4847438a3867ab9380525626d0cece5f31bd4d148864e4168616c182f7b6e.exe
Analysis ID:1466817
MD5:5f93b2e5faf3721c176353fd8ab82f9d
SHA1:85b6c685a5a88e8e25385a73330defa2a3c9f373
SHA256:7fc4847438a3867ab9380525626d0cece5f31bd4d148864e4168616c182f7b6e
Tags:exeSmokeLoader
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5GOuTtZoQn.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\5GOuTtZoQn.exe" MD5: 5F93B2E5FAF3721C176353FD8AB82F9D)
    • explorer.exe (PID: 2580 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • MpCmdRun.exe (PID: 352 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
        • conhost.exe (PID: 2284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • E636.exe (PID: 4476 cmdline: C:\Users\user\AppData\Local\Temp\E636.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • AD6.exe (PID: 352 cmdline: C:\Users\user\AppData\Local\Temp\AD6.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 504 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
          • GamePall.exe (PID: 4484 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6348 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6420 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6492 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6712 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6756 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 2848 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 516 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 6956 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6024 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5248 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 1968 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6596 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1716 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1184 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4112 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 332 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 1236 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5180 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6932 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 7144 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 2108 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 4124 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • 2DF0.exe (PID: 7024 cmdline: C:\Users\user\AppData\Local\Temp\2DF0.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
      • GamePall.exe (PID: 6548 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
  • wdugfia (PID: 6164 cmdline: C:\Users\user\AppData\Roaming\wdugfia MD5: 5F93B2E5FAF3721C176353FD8AB82F9D)
  • wdugfia (PID: 3232 cmdline: C:\Users\user\AppData\Roaming\wdugfia MD5: 5F93B2E5FAF3721C176353FD8AB82F9D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://movlat.com/tmp/", "http://llcbc.org/tmp/", "http://lindex24.ru/tmp/", "http://qeqei.xyz/tmp/"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
    00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
    • 0x604:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
    00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x604:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      Click to see the 27 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      9.2.2DF0.exe.1276b20.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
        9.2.2DF0.exe.12cc9c0.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          9.2.2DF0.exe.3950000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            9.2.2DF0.exe.12cc9c0.2.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              9.2.2DF0.exe.3950000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 504, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\wdugfia, CommandLine: C:\Users\user\AppData\Roaming\wdugfia, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\wdugfia, NewProcessName: C:\Users\user\AppData\Roaming\wdugfia, OriginalFileName: C:\Users\user\AppData\Roaming\wdugfia, ParentCommandLine: , ParentImage: , ParentProcessId: 1044, ProcessCommandLine: C:\Users\user\AppData\Roaming\wdugfia, ProcessId: 6164, ProcessName: wdugfia

                Snort Signatures

                No Snort rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                Found malware configuration
                Source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://movlat.com/tmp/", "http://llcbc.org/tmp/", "http://lindex24.ru/tmp/", "http://qeqei.xyz/tmp/"]}
                Source: 9.2.2DF0.exe.12cc9c0.2.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                Source: 6.2.E636.exe.7a0000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeReversingLabs: Detection: 54%
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeReversingLabs: Detection: 20%
                Source: C:\Users\user\AppData\Local\Temp\E636.exeReversingLabs: Detection: 67%
                Source: C:\Users\user\AppData\Roaming\wdugfiaReversingLabs: Detection: 60%
                Multi AV Scanner detection for submitted file
                Source: 5GOuTtZoQn.exeReversingLabs: Detection: 60%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Local\Temp\E636.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 5GOuTtZoQn.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: pedestriankodwu.xyz
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: towerxxuytwi.xyz
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: ellaboratepwsz.xyz
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: penetratedpoopp.xyz
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: swellfrrgwwos.xyz
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: contintnetksows.shop
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: foodypannyjsud.shop
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: potterryisiw.shop
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: foodypannyjsud.shop
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: lid=%s&j=%s&ver=4.0
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: TeslaBrowser/5.5
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: - Screen Resoluton:
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: - Physical Installed Memory:
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: Workgroup: -
                Source: 6.2.E636.exe.7a0000.0.unpackString decryptor: bOKHNM--
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03951C94 CryptUnprotectData,CryptProtectData,9_2_03951C94

                Compliance

                barindex
                Detected unpacking (creates a PE file in dynamic memory)
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeUnpacked PE file: 9.2.2DF0.exe.3950000.3.unpack
                Source: 5GOuTtZoQn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: ntkrnlmp.pdbx, source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9ED000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9EF000.00000004.00000020.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.3005724520.000000000A9ED000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
                Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ntkrnlmp.pdb source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9EF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3371439207.0000000000862000.00000002.00000001.01000000.00000010.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000E.00000002.3474550859.00000000052A2000.00000002.00000001.01000000.00000013.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmp
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000E.00000002.3474550859.00000000052A2000.00000002.00000001.01000000.00000013.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
                Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 2DF0.exe, 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe, 00000009.00000000.2323778514.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe.1.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 2DF0.exe, 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3535618874.0000000000599000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3535618874.0000000000599000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831* source: 2DF0.exe, 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 2DF0.exe, 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe, 00000009.00000000.2323778514.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe.1.dr
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1248
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B7256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00B7256E
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03951000
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03954E27
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03951D3C FindFirstFileW,FindNextFileW,9_2_03951D3C
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_039540BA FindFirstFileW,FindNextFileW,9_2_039540BA
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03953EFC FindFirstFileW,FindNextFileW,9_2_03953EFC
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,11_2_00405B4A
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004066FF FindFirstFileA,FindClose,11_2_004066FF
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004027AA FindFirstFileA,11_2_004027AA
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051EA80 FindFirstFileExW,14_2_6051EA80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604EF346 FindFirstFileExW,14_2_604EF346
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604EF3F7 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,14_2_604EF3F7
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051F490 FindFirstFileExW,14_2_6051F490
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 4x nop then movd mm0, dword ptr [edx]14_2_604546F0

                Networking

                barindex
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 77.221.157.163 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 141.8.194.149 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 190.147.2.86 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 186.101.193.110 80Jump to behavior
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                Source: Malware configuration extractorURLs: contintnetksows.shop
                Source: Malware configuration extractorURLs: foodypannyjsud.shop
                Source: Malware configuration extractorURLs: potterryisiw.shop
                Source: Malware configuration extractorURLs: foodypannyjsud.shop
                Source: Malware configuration extractorURLs: http://movlat.com/tmp/
                Source: Malware configuration extractorURLs: http://llcbc.org/tmp/
                Source: Malware configuration extractorURLs: http://lindex24.ru/tmp/
                Source: Malware configuration extractorURLs: http://qeqei.xyz/tmp/
                Source: Malware configuration extractorURLs: 146.70.169.164:2227
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B05B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00B05B80
                Source: GamePall.exe, 0000000E.00000002.3470666729.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                Source: GamePall.exe, 0000000E.00000002.3470666729.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                Source: GamePall.exe, 00000012.00000002.3683666966.0000000002261000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.000000000982D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://james.newtonking.com/projects/json
                Source: log4net.xml.11.drString found in binary or memory: http://logging.apache.org/log4j
                Source: GamePall.exeString found in binary or memory: http://logging.apache.org/log4ne
                Source: GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp, log4net.xml.11.drString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                Source: log4net.xml.11.drString found in binary or memory: http://logging.apache.org/log4net/schemas/log4net-events-1.2&gt;
                Source: setup.exe, setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3083333890.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000003.3371912395.00000000005F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
                Source: AD6.exe, 00000008.00000000.2263677389.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3083333890.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000003.3371912395.00000000005F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.000000000982D000.00000004.00000001.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0K
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: http://ocsp.digicert.com0O
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: explorer.exe, 00000001.00000000.1845594851.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1845107188.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1846930986.0000000009B60000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                Source: GamePall.exe, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/).
                Source: GamePall.exe, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/licenses/
                Source: GamePall.exeString found in binary or memory: http://www.apache.org/licenses/LICEN
                Source: GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079B1000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                Source: log4net.xml.11.drString found in binary or memory: http://www.connectionstrings.com/
                Source: log4net.xml.11.drString found in binary or memory: http://www.faqs.org/rfcs/rfc3164.html.
                Source: log4net.xml.11.drString found in binary or memory: http://www.iana.org/assignments/multicast-addresses
                Source: GamePall.exe, 0000000E.00000002.3475253670.0000000005F57000.00000002.00000001.00040000.0000001B.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: AD6.exe, 00000008.00000003.2266842133.0000000003070000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C893000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/Vh5j3k
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/odirmr
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                Source: explorer.exe, 00000001.00000000.1846263087.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                Source: explorer.exe, 00000001.00000000.1846263087.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/q
                Source: explorer.exe, 00000001.00000000.1843592476.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1843056048.0000000001240000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                Source: explorer.exe, 00000001.00000000.1846263087.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.00000000097D4000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                Source: explorer.exe, 00000001.00000000.1846263087.00000000096DF000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.comi
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aui-cdn.atlassian.com/
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/N
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2987292224.0000000001200000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeeC
                Source: E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.cookielaw.org/
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: resources.pak.11.drString found in binary or memory: https://chrome.google.com/webstore
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                Source: bg.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=bg&category=theme81https://myactivity.google.com/myactivity/?u
                Source: bg.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=bgCtrl$1
                Source: GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                Source: GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                Source: hi.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
                Source: hi.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
                Source: it.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
                Source: it.pak.11.drString found in binary or memory: https://chrome.google.com/webstore?hl=itCtrl$1
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                Source: E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
                Source: E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d136azpfpnge1l.cloudfront.net/;
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d301sr5gafysq2.cloudfront.net/
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2234378949.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264120478.0000000001701000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2305761007.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2235294827.0000000001700000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309380905.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2232951408.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2236092761.0000000001700000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285339247.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                Source: E636.exe, 00000006.00000003.2234378949.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2236092761.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2232951408.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/))
                Source: E636.exe, 00000006.00000003.2306543149.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2307179911.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309225728.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/0Hx
                Source: E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285339247.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/F9
                Source: E636.exe, 00000006.00000003.2232951408.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/P
                Source: E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                Source: E636.exe, 00000006.00000003.2306543149.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309359717.0000000001767000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306987140.0000000001764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiAs
                Source: E636.exe, 00000006.00000003.2306543149.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285575589.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309359717.0000000001767000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306987140.0000000001764000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiP
                Source: E636.exe, 00000006.00000003.2280247691.0000000001766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apids
                Source: E636.exe, 00000006.00000003.2285575589.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2280247691.0000000001766000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apins
                Source: E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/bm
                Source: E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285339247.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/bu
                Source: E636.exe, 00000006.00000003.2305761007.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309380905.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285339247.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/dtcLx
                Source: E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/jh5S
                Source: E636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/k
                Source: E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/la
                Source: E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/la.S
                Source: E636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ldOL
                Source: E636.exe, 00000006.00000002.2309380905.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2232951408.000000000175F000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2223257274.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pim
                Source: E636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/r0L
                Source: E636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/s
                Source: E636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/s.S
                Source: E636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/t
                Source: E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/xLs
                Source: E636.exe, 00000006.00000003.2212422021.00000000016E3000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2223257274.00000000016E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop:443/api
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
                Source: E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://myactivity.google.com/
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com_
                Source: bg.pak.11.drString found in binary or memory: https://passwords.google.com
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, it.pak.11.drString found in binary or memory: https://passwords.google.comGoogle
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://policies.google.com/
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                Source: E636.exe, 00000006.00000003.2212749407.0000000003E4E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.microsof
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: E636.exe, 00000006.00000003.2212749407.0000000003E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                Source: E636.exe, 00000006.00000003.2212749407.0000000003E4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                Source: GamePall.exe, GamePall.exe, 0000000E.00000002.3473718724.0000000004E76000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                Source: 2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web-security-reports.services.atlassian.com/csp-rep
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C557000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/L
                Source: explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
                Source: resources.pak.11.drString found in binary or memory: https://www.google.com/
                Source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                Source: it.pak.11.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito
                Source: GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                Source: E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: E636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.newtonsoft.com/json
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                Source: Newtonsoft.Json.dll.11.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,11_2_004055E7
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03954BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,9_2_03954BA2
                Source: GamePall.exeProcess created: 52

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                Source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                Source: 00000005.00000002.2153686108.0000000002471000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004030C5 RtlCreateUserThread,NtTerminateProcess,0_2_004030C5
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004015E9 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015E9
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401603
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401609
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00401619 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401619
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00403222 RtlCreateUserThread,NtTerminateProcess,0_2_00403222
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00401632 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401632
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004033D2 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_004033D2
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004033D9 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_004033D9
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004033DF NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_004033DF
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004015F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015F4
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004033F5 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_004033F5
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004017F7 NtMapViewOfSection,0_2_004017F7
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00403385 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_00403385
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_0040338F NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_0040338F
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00403399 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,0_2_00403399
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_004033A5 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,wcsstr,0_2_004033A5
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004030C5 RtlCreateUserThread,NtTerminateProcess,5_2_004030C5
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004015E9 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004015E9
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00401603 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401603
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00401609 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401609
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00401619 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401619
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00403222 RtlCreateUserThread,NtTerminateProcess,5_2_00403222
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00401632 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_00401632
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004033D2 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_004033D2
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004033D9 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_004033D9
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004033DF NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_004033DF
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004015F4 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,5_2_004015F4
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004033F5 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_004033F5
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004017F7 NtMapViewOfSection,5_2_004017F7
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00403385 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_00403385
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_0040338F NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_0040338F
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00403399 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,5_2_00403399
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_004033A5 NtTerminateProcess,GetModuleHandleA,CreateFileW,GetForegroundWindow,wcsstr,5_2_004033A5
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60474FA0 RtlInitUnicodeString,NtOpenKeyEx,14_2_60474FA0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60475140 RtlInitUnicodeString,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,14_2_60475140
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60475610 NtClose,14_2_60475610
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604741C0 NtClose,NtClose,RtlInitUnicodeString,NtCreateKey,NtClose,NtClose,RtlInitUnicodeString,NtCreateKey,NtDeleteKey,14_2_604741C0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60475120 NtClose,14_2_60475120
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60475690 RtlInitUnicodeString,NtSetValueKey,14_2_60475690
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60475700 RtlInitUnicodeString,NtSetValueKey,14_2_60475700
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B614909_2_00B61490
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B6D5159_2_00B6D515
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B6BE099_2_00B6BE09
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00406A8811_2_00406A88
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A0D0014_2_604A0D00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A36F014_2_604A36F0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047DC0014_2_6047DC00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A3C0014_2_604A3C00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604940D014_2_604940D0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604520B014_2_604520B0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604B40B014_2_604B40B0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604741C014_2_604741C0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604B61B014_2_604B61B0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604F427A14_2_604F427A
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047C22014_2_6047C220
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604562CD14_2_604562CD
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049A37014_2_6049A370
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604563ED14_2_604563ED
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604D439714_2_604D4397
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6052040014_2_60520400
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604564C914_2_604564C9
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604B249014_2_604B2490
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049A57014_2_6049A570
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C65A014_2_604C65A0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6045264014_2_60452640
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049861014_2_60498610
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6048C6C014_2_6048C6C0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6046270014_2_60462700
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604587FD14_2_604587FD
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049679014_2_60496790
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6048C7A014_2_6048C7A0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A884014_2_604A8840
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6045685514_2_60456855
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C886014_2_604C8860
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AE83014_2_604AE830
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604988A014_2_604988A0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051C96014_2_6051C960
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6048097014_2_60480970
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6052093014_2_60520930
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60456A5D14_2_60456A5D
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60522A7014_2_60522A70
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C2A9014_2_604C2A90
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60498BC014_2_60498BC0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C6BA014_2_604C6BA0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604D6C4014_2_604D6C40
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60454C0014_2_60454C00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60452C3014_2_60452C30
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AECB014_2_604AECB0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CADE014_2_604CADE0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60520E6014_2_60520E60
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604ACE7014_2_604ACE70
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60482EE014_2_60482EE0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604D2E8A14_2_604D2E8A
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60464F3014_2_60464F30
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60452FD714_2_60452FD7
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047AFB014_2_6047AFB0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_605210C014_2_605210C0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6052310014_2_60523100
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C51D014_2_604C51D0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AD2E014_2_604AD2E0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604BF2E014_2_604BF2E0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CF2E014_2_604CF2E0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CB2E014_2_604CB2E0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C32F014_2_604C32F0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A52B014_2_604A52B0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6046931014_2_60469310
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049147014_2_60491470
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047941014_2_60479410
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051549014_2_60515490
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C149014_2_604C1490
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6052351014_2_60523510
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604D75C414_2_604D75C4
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6052164014_2_60521640
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604516C014_2_604516C0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604F56A914_2_604F56A9
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6048375014_2_60483750
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051B73014_2_6051B730
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604A973014_2_604A9730
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604557D014_2_604557D0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C77D014_2_604C77D0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604917F014_2_604917F0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604658E014_2_604658E0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6049D89014_2_6049D890
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C5A4014_2_604C5A40
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604BDA0014_2_604BDA00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60451A3014_2_60451A30
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60463A8014_2_60463A80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60451B6014_2_60451B60
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604D3B1B14_2_604D3B1B
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AFBC014_2_604AFBC0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C3B8014_2_604C3B80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604BFB9014_2_604BFB90
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60467BA014_2_60467BA0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C5BA014_2_604C5BA0
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604C9C4014_2_604C9C40
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60491C5014_2_60491C50
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60455C0014_2_60455C00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60453C8014_2_60453C80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60451D1014_2_60451D10
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047FF0014_2_6047FF00
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60465F8014_2_60465F80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_00B64E2014_2_00B64E20
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: String function: 00B60310 appears 51 times
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: String function: 604FCE60 appears 513 times
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: String function: 604CDF70 appears 52 times
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: String function: 604FB830 appears 61 times
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: String function: 60516700 appears 39 times
                Source: 5GOuTtZoQn.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                Source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                Source: 00000005.00000002.2153686108.0000000002471000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                Source: Ionic.Zip.dll.11.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                Source: GamePall.exe.11.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@240/115@0/8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_605165D0 FormatMessageA,GetLastError,_strlen,14_2_605165D0
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,11_2_00404897
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_025B49F2 CreateToolhelp32Snapshot,Module32First,0_2_025B49F2
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00402173 CoCreateInstance,MultiByteToWideChar,11_2_00402173
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\wdugfiaJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2284:120:WilError_03
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E636.tmpJump to behavior
                Source: 5GOuTtZoQn.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\explorer.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                Source: E636.exe, 00000006.00000003.2212835658.0000000003E24000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: 5GOuTtZoQn.exeReversingLabs: Detection: 60%
                Source: unknownProcess created: C:\Users\user\Desktop\5GOuTtZoQn.exe "C:\Users\user\Desktop\5GOuTtZoQn.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wdugfia C:\Users\user\AppData\Roaming\wdugfia
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E636.exe C:\Users\user\AppData\Local\Temp\E636.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\AD6.exe C:\Users\user\AppData\Local\Temp\AD6.exe
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2DF0.exe C:\Users\user\AppData\Local\Temp\2DF0.exe
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\wdugfia C:\Users\user\AppData\Roaming\wdugfia
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\E636.exe C:\Users\user\AppData\Local\Temp\E636.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\2DF0.exe C:\Users\user\AppData\Local\Temp\2DF0.exeJump to behavior
                Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
                Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: msvcr100.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
                Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dllJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: msimg32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: msvcr100.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dxgi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePallJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                Source: Binary string: ntkrnlmp.pdbx, source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9ED000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdbSHA256f source: Newtonsoft.Json.dll.11.dr
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.11.dr
                Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9EF000.00000004.00000020.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.3005724520.000000000A9ED000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net40/Newtonsoft.Json.pdb source: Newtonsoft.Json.dll.11.dr
                Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: ntkrnlmp.pdb source: 2DF0.exe, 00000009.00000002.3005724520.000000000A9EF000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000C.00000000.3371439207.0000000000862000.00000002.00000001.01000000.00000010.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 0000000E.00000002.3474550859.00000000052A2000.00000002.00000001.01000000.00000013.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmp
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp
                Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000E.00000002.3474550859.00000000052A2000.00000002.00000001.01000000.00000013.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmp
                Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.11.dr
                Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exemePalll source: setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp
                Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 2DF0.exe, 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe, 00000009.00000000.2323778514.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe.1.dr
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 2DF0.exe, 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3535618874.0000000000599000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000B.00000002.3535618874.0000000000599000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831* source: 2DF0.exe, 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 2DF0.exe, 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe, 00000009.00000000.2323778514.0000000000B79000.00000002.00000001.01000000.0000000C.sdmp, 2DF0.exe.1.dr

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeUnpacked PE file: 0.2.5GOuTtZoQn.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Source: C:\Users\user\AppData\Roaming\wdugfiaUnpacked PE file: 5.2.wdugfia.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                Detected unpacking (creates a PE file in dynamic memory)
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeUnpacked PE file: 9.2.2DF0.exe.3950000.3.unpack
                Source: Newtonsoft.Json.dll.11.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B05B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00B05B80
                Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                Source: E636.exe.1.drStatic PE information: section name: .vmpLp
                Source: E636.exe.1.drStatic PE information: section name: .vmpLp
                Source: E636.exe.1.drStatic PE information: section name: .vmpLp
                Source: libEGL.dll.11.drStatic PE information: section name: .00cfg
                Source: libEGL.dll.11.drStatic PE information: section name: .voltbl
                Source: libGLESv2.dll.11.drStatic PE information: section name: .00cfg
                Source: libGLESv2.dll.11.drStatic PE information: section name: .voltbl
                Source: chrome_elf.dll.11.drStatic PE information: section name: .00cfg
                Source: chrome_elf.dll.11.drStatic PE information: section name: .crthunk
                Source: chrome_elf.dll.11.drStatic PE information: section name: CPADinfo
                Source: chrome_elf.dll.11.drStatic PE information: section name: malloc_h
                Source: libEGL.dll0.11.drStatic PE information: section name: .00cfg
                Source: libGLESv2.dll0.11.drStatic PE information: section name: .00cfg
                Source: libcef.dll.11.drStatic PE information: section name: .00cfg
                Source: libcef.dll.11.drStatic PE information: section name: .rodata
                Source: libcef.dll.11.drStatic PE information: section name: CPADinfo
                Source: libcef.dll.11.drStatic PE information: section name: malloc_h
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_00403314 push eax; ret 0_2_004033EF
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_025B7379 push eax; ret 0_2_025B737A
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_00403314 push eax; ret 5_2_004033EF
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_02476FD9 push eax; ret 5_2_02476FDA
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B6004B push ecx; ret 9_2_00B6005E
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B689AD push cs; ret 9_2_00B689AE
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CE38B push ecx; ret 14_2_604CE39E
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60457C10 push 89084589h; iretd 14_2_60457C15
                Source: Ionic.Zip.dll.11.drStatic PE information: section name: .text entropy: 6.821349263259562
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\2DF0.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\wdugfiaJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\E636.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeFile created: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\blowfish.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\liteFirewall.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeFile created: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\INetC.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeFile created: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\nsProcess.dllJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\AD6.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].datJump to dropped file
                Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\wdugfiaJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePallJump to behavior

                Hooking and other Techniques for Hiding and Protection

                barindex
                Deletes itself after installation
                Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\5gouttzoqn.exeJump to behavior
                Hides that the sample has been downloaded from the Internet (zone.identifier)
                Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\wdugfia:Zone.Identifier read attributes | deleteJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Checks if the current machine is a virtual machine (disk enumeration)
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                Found evasive API chain (may stop execution after checking mutex)
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-145455
                Query firmware table information (likely to detect VMs)
                Source: C:\Users\user\AppData\Local\Temp\E636.exeSystem information queried: FirmwareTableInformationJump to behavior
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeAPI/Special instruction interceptor: Address: 7FFE2220E814
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeAPI/Special instruction interceptor: Address: 7FFE2220D584
                Source: C:\Users\user\AppData\Roaming\wdugfiaAPI/Special instruction interceptor: Address: 7FFE2220E814
                Source: C:\Users\user\AppData\Roaming\wdugfiaAPI/Special instruction interceptor: Address: 7FFE2220D584
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: CF8181
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: 1007E15
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: C44080
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: B276F5
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: B1AA71
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: C891D7
                Source: C:\Users\user\AppData\Local\Temp\E636.exeAPI/Special instruction interceptor: Address: CC3463
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 5GOuTtZoQn.exeBinary or memory string: ASWHOOK
                Source: wdugfia, 00000005.00000002.2153599424.000000000245E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ASWHOOK{A4
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C70000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 47B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2890000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: D20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2940000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FF0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 830000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2260000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2090000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D70000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AB0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1050000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2BC0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1100000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B80000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 45F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4A60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2970000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29B0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 8E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1140000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4E50000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A80000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4C60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1380000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FE0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E30000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 7F0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2470000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 23C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C60000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2730000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4730000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1390000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4F20000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1810000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3230000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 5230000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: B10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2560000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: BA0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2790000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4790000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D00000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11E0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 15C0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 32D0000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3210000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1340000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E90000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B10000 memory reserve | memory write watch
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AE130 rdtsc 14_2_604AE130
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 439Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1060Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 952Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3735Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 883Jump to behavior
                Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 860Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\liteFirewall.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\INetC.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\nsProcess.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\blowfish.dllJump to dropped file
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAPI coverage: 3.7 %
                Source: C:\Windows\explorer.exe TID: 4628Thread sleep time: -106000s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 6352Thread sleep time: -95200s >= -30000sJump to behavior
                Source: C:\Windows\explorer.exe TID: 4628Thread sleep time: -373500s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exe TID: 3396Thread sleep time: -210000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 5576Thread sleep time: -600000s >= -30000s
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 6768Thread sleep count: 32 > 30
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B7256E FindFirstFileExW,FindNextFileW,FindClose,FindClose,9_2_00B7256E
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03951000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03951000
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03954E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03954E27
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03951D3C FindFirstFileW,FindNextFileW,9_2_03951D3C
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_039540BA FindFirstFileW,FindNextFileW,9_2_039540BA
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03953EFC FindFirstFileW,FindNextFileW,9_2_03953EFC
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,11_2_00405B4A
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004066FF FindFirstFileA,FindClose,11_2_004066FF
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004027AA FindFirstFileA,11_2_004027AA
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051EA80 FindFirstFileExW,14_2_6051EA80
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604EF346 FindFirstFileExW,14_2_604EF346
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604EF3F7 FindFirstFileExW,RevokeDragDrop,FindNextFileW,FindClose,FindClose,14_2_604EF3F7
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6051F490 FindFirstFileExW,14_2_6051F490
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_03952054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,9_2_03952054
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                Source: explorer.exe, 00000001.00000000.1846766557.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000001.00000000.1846263087.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NECVMWar VMware SATA CD00\w
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078A0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
                Source: explorer.exe, 00000001.00000000.1846766557.00000000098A8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                Source: explorer.exe, 00000001.00000000.1843056048.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
                Source: explorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: explorer.exe, 00000001.00000000.1846766557.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                Source: explorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTTAVMWare
                Source: explorer.exe, 00000001.00000000.1846263087.0000000009815000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
                Source: explorer.exe, 00000001.00000000.1846263087.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306543149.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309021449.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2234378949.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306543149.00000000016D7000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264120478.0000000001701000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2223257274.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2235294827.0000000001700000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264560521.0000000001706000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: explorer.exe, 00000001.00000000.1846766557.0000000009977000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                Source: explorer.exe, 00000001.00000000.1844365188.0000000007A34000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnx
                Source: explorer.exe, 00000001.00000000.1846263087.0000000009660000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
                Source: explorer.exe, 00000001.00000000.1843056048.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                Source: explorer.exe, 00000001.00000000.1843056048.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Users\user\AppData\Local\Temp\setup.exeAPI call chain: ExitProcess graph end nodegraph_11-3649
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSystem information queried: CodeIntegrityInformationJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604AE130 rdtsc 14_2_604AE130
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B64383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00B64383
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B05B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00B05B80
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_024F092B mov eax, dword ptr fs:[00000030h]0_2_024F092B
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_024F0D90 mov eax, dword ptr fs:[00000030h]0_2_024F0D90
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeCode function: 0_2_025B42CF push dword ptr fs:[00000030h]0_2_025B42CF
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_02473F2F push dword ptr fs:[00000030h]5_2_02473F2F
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_03F90D90 mov eax, dword ptr fs:[00000030h]5_2_03F90D90
                Source: C:\Users\user\AppData\Roaming\wdugfiaCode function: 5_2_03F9092B mov eax, dword ptr fs:[00000030h]5_2_03F9092B
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B75891 GetProcessHeap,9_2_00B75891
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B64383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00B64383
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B60495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00B60495
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B606F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_00B606F0
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B60622 SetUnhandledExceptionFilter,9_2_00B60622
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CE18A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_604CE18A
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_60513120 GetCurrentProcessId,SetUnhandledExceptionFilter,AddVectoredExceptionHandler,14_2_60513120
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604EB5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_604EB5D6
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6047BC40 GetCurrentProcessId,CreateEventW,CreateEventW,CreateEventW,CreateEventW,SetUnhandledExceptionFilter,AddVectoredExceptionHandler,CreateThread,14_2_6047BC40
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604CDC6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_604CDC6C
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Benign windows process drops PE files
                Source: C:\Windows\explorer.exeFile created: 2DF0.exe.1.drJump to dropped file
                System process connects to network (likely due to code injection or exploit)
                Source: C:\Windows\explorer.exeNetwork Connect: 77.221.157.163 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 141.8.194.149 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 190.147.2.86 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 188.114.97.3 80Jump to behavior
                Source: C:\Windows\explorer.exeNetwork Connect: 186.101.193.110 80Jump to behavior
                Creates a thread in another existing process (thread injection)
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeThread created: C:\Windows\explorer.exe EIP: 87C19A0Jump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaThread created: unknown EIP: 31619A0Jump to behavior
                LummaC encrypted strings found
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: pedestriankodwu.xyz
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: towerxxuytwi.xyz
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: ellaboratepwsz.xyz
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: penetratedpoopp.xyz
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: swellfrrgwwos.xyz
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: contintnetksows.shop
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: foodypannyjsud.shop
                Source: E636.exe, 00000006.00000002.2307553839.00000000007DD000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: potterryisiw.shop
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\Desktop\5GOuTtZoQn.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\wdugfiaSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5_1 like mac os x) applewebkit/605.1.15 (khtml, like gecko) fxios/127.1 mobile/15e148 safari/605.1.15" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                Source: explorer.exe, 00000001.00000000.1843280785.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1844210009.0000000004CE0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: explorer.exe, 00000001.00000000.1843280785.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: explorer.exe, 00000001.00000000.1843056048.0000000001240000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 1Progman$
                Source: explorer.exe, 00000001.00000000.1843280785.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: explorer.exe, 00000001.00000000.1843280785.00000000018A0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B6013C cpuid 9_2_00B6013C
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetLocaleInfoW,9_2_00B6E096
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_00B750DC
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: EnumSystemLocalesW,9_2_00B75051
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetLocaleInfoW,9_2_00B7532F
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00B75458
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetLocaleInfoW,9_2_00B7555E
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00B75634
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: EnumSystemLocalesW,9_2_00B6DBC7
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: EnumSystemLocalesW,9_2_00B74FB6
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: EnumSystemLocalesW,9_2_00B74F6B
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: EnumSystemLocalesW,9_2_00B74F69
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,14_2_604EA48C
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_604EE797
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: EnumSystemLocalesW,14_2_604EA9CD
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: EnumSystemLocalesW,14_2_604EE9E8
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_604EEA90
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: EnumSystemLocalesW,14_2_604EECE3
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,14_2_604EED50
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,14_2_604EEE70
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: EnumSystemLocalesW,14_2_604EEE25
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_604EEF17
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: GetLocaleInfoW,14_2_604EF01D
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_6048B950 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,CreateNamedPipeW,14_2_6048B950
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeCode function: 9_2_00B6038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_00B6038F
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeCode function: 14_2_604F1043 GetTimeZoneInformation,14_2_604F1043
                Source: C:\Users\user\AppData\Local\Temp\setup.exeCode function: 11_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,11_2_004034CC
                Source: C:\Users\user\AppData\Local\Temp\E636.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: E636.exe, 00000006.00000003.2285339247.0000000001783000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285485743.0000000001793000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2279914840.0000000001783000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2280086015.0000000001793000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306412098.000000000179A000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309520806.000000000179A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\E636.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                Source: C:\Users\user\AppData\Local\Temp\AD6.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: E636.exe PID: 4476, type: MEMORYSTR
                Yara detected Poverty Stealer
                Source: Yara matchFile source: 9.2.2DF0.exe.1276b20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.12cc9c0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.3950000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.12cc9c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.3950000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.1276b20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2DF0.exe PID: 7024, type: MEMORYSTR
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum-LTC
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                Source: E636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Jaxx Liberty
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.walletc"
                Source: E636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binancec
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum
                Source: E636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
                Source: E636.exe, 00000006.00000003.2285575589.0000000001757000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore@#v
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.jsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.dbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.dbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.jsonJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\2DF0.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\FTPGetterJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\FTPInfoJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\FavoritesJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\FTPboxJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\FTPRushJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\ProgramData\SiteDesigner\3D-FTPJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                Source: C:\Users\user\AppData\Local\Temp\E636.exeDirectory queried: C:\Users\user\Documents\BPMLNOBVSBJump to behavior
                Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1248
                Source: Yara matchFile source: 00000006.00000003.2234378949.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2236092761.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2234378949.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2264120478.0000000001701000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2212422021.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2235294827.0000000001700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2264560521.0000000001706000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2232951408.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2236092761.0000000001700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2235294827.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2247835335.0000000001700000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: E636.exe PID: 4476, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: E636.exe PID: 4476, type: MEMORYSTR
                Yara detected Poverty Stealer
                Source: Yara matchFile source: 9.2.2DF0.exe.1276b20.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.12cc9c0.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.3950000.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.12cc9c0.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.3950000.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 9.2.2DF0.exe.1276b20.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 2DF0.exe PID: 7024, type: MEMORYSTR
                Yara detected SmokeLoader
                Source: Yara matchFile source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		1
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts11
                Native API                		1
                Windows Service                		1
                Access Token Manipulation                		111
                Deobfuscate/Decode Files or Information                		LSASS Memory23
                File and Directory Discovery                		Remote Desktop Protocol41
                Data from Local System                		2
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Exploitation for Client Execution                		1
                Registry Run Keys / Startup Folder                		1
                Windows Service                		41
                Obfuscated Files or Information                		Security Account Manager137
                System Information Discovery                		SMB/Windows Admin Shares1
                Screen Capture                		1
                Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal Accounts1
                Command and Scripting Interpreter                		Login Hook313
                Process Injection                		21
                Software Packing                		NTDS661
                Security Software Discovery                		Distributed Component Object Model1
                Clipboard Data                		Protocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud Accounts1
                PowerShell                		Network Logon Script1
                Registry Run Keys / Startup Folder                		1
                Timestomp                		LSA Secrets241
                Virtualization/Sandbox Evasion                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials3
                Process Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                File Deletion                		DCSync1
                Application Window Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                Masquerading                		Proc Filesystem1
                Remote System Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                Access Token Manipulation                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd313
                Process Injection                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                Hidden Files and Directories                		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1466817 Sample: 5GOuTtZoQn.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 105 Found malware configuration 2->105 107 Malicious sample detected (through community Yara rule) 2->107 109 Antivirus detection for dropped file 2->109 111 10 other signatures 2->111 12 5GOuTtZoQn.exe 2->12         started        15 wdugfia 2->15         started        17 wdugfia 2->17         started        process3 signatures4 145 Detected unpacking (changes PE section rights) 12->145 147 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->147 149 Maps a DLL or memory area into another process 12->149 157 2 other signatures 12->157 19 explorer.exe 57 10 12->19 injected 151 Multi AV Scanner detection for dropped file 15->151 153 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 15->153 155 Checks if the current machine is a virtual machine (disk enumeration) 15->155 process5 dnsIp6 91 190.147.2.86 TelmexColombiaSACO Colombia 19->91 93 186.101.193.110 TelconetSAEC Ecuador 19->93 95 2 other IPs or domains 19->95 75 C:\Users\user\AppData\Roaming\wdugfia, PE32 19->75 dropped 77 C:\Users\user\AppData\Local\Temp636.exe, PE32 19->77 dropped 79 C:\Users\user\AppData\Local\Temp\AD6.exe, PE32 19->79 dropped 81 2 other malicious files 19->81 dropped 115 System process connects to network (likely due to code injection or exploit) 19->115 117 Benign windows process drops PE files 19->117 119 Deletes itself after installation 19->119 121 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->121 24 AD6.exe 3 35 19->24         started        28 E636.exe 19->28         started        31 2DF0.exe 12 19->31         started        33 2 other processes 19->33 file7 signatures8 process9 dnsIp10 83 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 24->83 dropped 85 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 24->85 dropped 87 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 24->87 dropped 89 2 other files (none is malicious) 24->89 dropped 123 Antivirus detection for dropped file 24->123 125 Multi AV Scanner detection for dropped file 24->125 35 setup.exe 9 112 24->35         started        99 188.114.97.3 CLOUDFLARENETUS European Union 28->99 127 Query firmware table information (likely to detect VMs) 28->127 129 Machine Learning detection for dropped file 28->129 131 Found many strings related to Crypto-Wallets (likely being stolen) 28->131 139 4 other signatures 28->139 101 146.70.169.164 TENET-1ZA United Kingdom 31->101 103 104.192.141.1 AMAZON-02US United States 31->103 133 Detected unpacking (creates a PE file in dynamic memory) 31->133 135 Found evasive API chain (may stop execution after checking mutex) 31->135 137 Tries to harvest and steal browser information (history, passwords, etc) 31->137 39 conhost.exe 33->39         started        file11 signatures12 process13 file14 67 C:\Users\user\AppData\...\vulkan-1.dll, PE32 35->67 dropped 69 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 35->69 dropped 71 C:\Users\user\AppData\...\libGLESv2.dll, PE32 35->71 dropped 73 16 other files (13 malicious) 35->73 dropped 113 Antivirus detection for dropped file 35->113 41 GamePall.exe 35->41         started        signatures15 process16 dnsIp17 97 172.67.221.174 CLOUDFLARENETUS United States 41->97 141 Antivirus detection for dropped file 41->141 143 Machine Learning detection for dropped file 41->143 45 GamePall.exe 41->45         started        47 GamePall.exe 41->47         started        49 GamePall.exe 41->49         started        51 6 other processes 41->51 signatures18 process19 process20 53 GamePall.exe 45->53         started        55 GamePall.exe 45->55         started        57 GamePall.exe 45->57         started        59 10 other processes 45->59 process21 61 GamePall.exe 53->61         started        63 GamePall.exe 53->63         started        65 GamePall.exe 55->65         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                5GOuTtZoQn.exe61%ReversingLabsWin32.Trojan.SmokeLoader
                5GOuTtZoQn.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Temp\E636.exe100%AviraHEUR/AGEN.1313486
                C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Local\Temp\AD6.exe100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat100%AviraHEUR/AGEN.1359405
                C:\Users\user\AppData\Local\Temp\2DF0.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Temp\E636.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Local\Temp\2DF0.exe54%ReversingLabsWin32.Trojan.PovertyStealer
                C:\Users\user\AppData\Local\Temp\AD6.exe21%ReversingLabs
                C:\Users\user\AppData\Local\Temp\E636.exe68%ReversingLabsWin32.Trojan.Smokeloader
                C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\liteFirewall.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\INetC.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\blowfish.dll5%ReversingLabs
                C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\nsProcess.dll0%ReversingLabs
                C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs
                C:\Users\user\AppData\Roaming\wdugfia61%ReversingLabsWin32.Trojan.SmokeLoader

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                contintnetksows.shoptrue
                  http://qeqei.xyz/tmp/true
                    ellaboratepwsz.xyztrue
                      swellfrrgwwos.xyztrue
                        foodypannyjsud.shoptrue
                          pedestriankodwu.xyztrue
                            http://lindex24.ru/tmp/true
                              http://llcbc.org/tmp/true

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpfalse
                                  https://aka.ms/odirmrexplorer.exe, 00000001.00000000.1844365188.00000000079FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                    https://duckduckgo.com/chrome_newtabE636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://duckduckgo.com/ac/?q=E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpfalse
                                        https://foodypannyjsud.shop/sE636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://foodypannyjsud.shop/tE636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpfalse
                                            https://chrome.google.com/webstore?hl=hiCtrl$1hi.pak.11.drfalse
                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                http://www.apache.org/licenses/LICENGamePall.exefalse
                                                  https://support.google.com/chrome/answer/6098869setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                    https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.drfalse
                                                      https://foodypannyjsud.shop/ldOLE636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000001.00000000.1846263087.00000000097D4000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.E636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmp, log4net.xml.11.drfalse
                                                              https://chrome.google.com/webstore?hl=itCtrl$1it.pak.11.drfalse
                                                                https://excel.office.comexplorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-weexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                    https://simpleflying.com/how-do-you-become-an-air-traffic-controller/explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      https://foodypannyjsud.shop/kE636.exe, 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        https://foodypannyjsud.shop/apinsE636.exe, 00000006.00000003.2285575589.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2280247691.0000000001766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          https://foodypannyjsud.shop/s.SE636.exe, 00000006.00000003.2263990356.000000000176C000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2264750383.000000000176F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            https://foodypannyjsud.shop/PE636.exe, 00000006.00000003.2232951408.00000000016FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUYexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYiE636.exe, 00000006.00000003.2237638501.00000000016E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-darkexplorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                        https://foodypannyjsud.shop/pimE636.exe, 00000006.00000003.2212422021.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2223257274.00000000016FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          https://passwords.google.combg.pak.11.drfalse
                                                                                            https://aui-cdn.atlassian.com/2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              http://www.iana.org/assignments/multicast-addresseslog4net.xml.11.drfalse
                                                                                                https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000001.00000000.1848132573.000000000C893000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                  https://foodypannyjsud.shop/laE636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                                      http://bageyou.xyzGamePall.exe, 00000012.00000002.3683666966.0000000002261000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        http://logging.apache.org/log4neGamePall.exefalse
                                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svgexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            https://bitbucket.org/2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000001.00000000.1844365188.00000000079B1000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                https://wns.windows.com/Lexplorer.exe, 00000001.00000000.1848132573.000000000C557000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  http://www.connectionstrings.com/log4net.xml.11.drfalse
                                                                                                                    https://word.office.comexplorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      https://support.google.com/chromebook?p=app_intentsetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                                                        https://web-security-reports.services.atlassian.com/csp-rep2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                            https://chrome.google.com/webstoreresources.pak.11.drfalse
                                                                                                                              https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZuexplorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-winexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                  https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uGamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmpfalse
                                                                                                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      http://crl.rootca1.amazontrust.com/rootca1.crl0E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        http://ocsp.rootca1.amazontrust.com0:E636.exe, 00000006.00000003.2235658255.0000000003E0E000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000003.2979074721.000000000AA5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016E636.exe, 00000006.00000003.2212749407.0000000003E4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                              http://nsis.sf.net/NSIS_ErrorErrorAD6.exe, 00000008.00000000.2263677389.000000000040A000.00000008.00000001.01000000.00000008.sdmp, setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3083333890.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000003.3371912395.00000000005F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                http://logging.apache.org/log4jlog4net.xml.11.drfalse
                                                                                                                                                  https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?uhi.pak.11.drfalse
                                                                                                                                                    https://www.ecosia.org/newtab/E636.exe, 00000006.00000003.2213042327.0000000003E1F000.00000004.00000800.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2213129167.0000000003E08000.00000004.00000800.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2989495989.000000000A341000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                        http://xiexie.wf/22_551/huge.datAD6.exe, 00000008.00000003.2266842133.0000000003070000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          https://foodypannyjsud.shop/0HxE636.exe, 00000006.00000003.2306543149.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2307179911.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309225728.000000000175F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brE636.exe, 00000006.00000003.2237221082.0000000003F1B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmp, 2DF0.exe, 00000009.00000002.2987292224.0000000001200000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeuexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000E.00000002.3479833750.00000000063D0000.00000002.00000001.00040000.0000001C.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                                                                                                    http://nsis.sf.net/NSIS_Errorsetup.exe, setup.exe, 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000000.3083333890.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, setup.exe, 0000000B.00000003.3371912395.00000000005F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-darkexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://foodypannyjsud.shop/apiPE636.exe, 00000006.00000003.2306543149.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285575589.0000000001757000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000002.2309359717.0000000001767000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2306987140.0000000001764000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          https://www.rd.com/list/polite-habits-campers-dislike/explorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                            https://foodypannyjsud.shop/apidsE636.exe, 00000006.00000003.2280247691.0000000001766000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              https://android.notify.windows.com/iOSexplorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                http://api.install-stat.debug.world/clients/installsGamePall.exe, 0000000E.00000002.3470666729.00000000027B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                  https://foodypannyjsud.shop/jh5SE636.exe, 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                    https://support.microsofE636.exe, 00000006.00000003.2212749407.0000000003E4E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://cdn.cookielaw.org/2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.11.drfalse
                                                                                                                                                                                          https://support.google.com/chrome/a/answer/9122284setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmp, hi.pak.11.dr, bg.pak.11.dr, it.pak.11.drfalse
                                                                                                                                                                                            https://foodypannyjsud.shop/F9E636.exe, 00000006.00000003.2279914840.0000000001777000.00000004.00000020.00020000.00000000.sdmp, E636.exe, 00000006.00000003.2285339247.000000000176C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.imgexplorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://outlook.com_explorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://www.google.com/resources.pak.11.drfalse
                                                                                                                                                                                                    https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppeexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-atexplorer.exe, 00000001.00000000.1844365188.0000000007900000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1GamePall.exe, GamePall.exe, 0000000E.00000002.3473718724.0000000004E76000.00000002.00000001.01000000.00000012.sdmp, GamePall.exe, 0000000E.00000002.3473498425.0000000004E32000.00000002.00000001.01000000.00000012.sdmpfalse
                                                                                                                                                                                                              https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-clexplorer.exe, 00000001.00000000.1844365188.00000000078AD000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                http://www.unicode.org/copyright.htmlGamePall.exe, 0000000E.00000002.3475253670.0000000005F57000.00000002.00000001.00040000.0000001B.sdmpfalse
                                                                                                                                                                                                                  https://powerpoint.office.comcemberexplorer.exe, 00000001.00000000.1848132573.000000000C5AA000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000B.00000002.3769420567.0000000002735000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupeeC2DF0.exe, 00000009.00000002.2987292224.000000000124D000.00000004.00000020.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                        77.221.157.163
                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                        		30968INFOBOX-ASInfoboxruAutonomousSystemRUtrue
                                                                                                                                                                                                                        104.192.141.1
                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                        188.114.97.3
                                                                                                                                                                                                                        		unknownEuropean Union
                                                                                                                                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                                                                                                                                        186.101.193.110
                                                                                                                                                                                                                        		unknownEcuador
                                                                                                                                                                                                                        		27947TelconetSAECtrue
                                                                                                                                                                                                                        141.8.194.149
                                                                                                                                                                                                                        		unknownRussian Federation
                                                                                                                                                                                                                        		35278SPRINTHOSTRUtrue
                                                                                                                                                                                                                        172.67.221.174
                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                        		13335CLOUDFLARENETUSfalse
                                                                                                                                                                                                                        190.147.2.86
                                                                                                                                                                                                                        		unknownColombia
                                                                                                                                                                                                                        		10620TelmexColombiaSACOtrue
                                                                                                                                                                                                                        146.70.169.164
                                                                                                                                                                                                                        		unknownUnited Kingdom
                                                                                                                                                                                                                        		2018TENET-1ZAtrue

                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                        Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                                                                                        Analysis ID:1466817
                                                                                                                                                                                                                        Start date and time:2024-07-03 13:26:07 +02:00
                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                        Overall analysis duration:0h 18m 19s
                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                        Number of analysed new started processes analysed:40
                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                        Number of injected processes analysed:1
                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                        Sample name:5GOuTtZoQn.exe
                                                                                                                                                                                                                        renamed because original name is a hash value
                                                                                                                                                                                                                        Original Sample Name:7fc4847438a3867ab9380525626d0cece5f31bd4d148864e4168616c182f7b6e.exe
                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@240/115@0/8
                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                        • Successful, ratio: 83.3%
                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                        • Successful, ratio: 62%
                                                                                                                                                                                                                        • Number of executed functions: 185
                                                                                                                                                                                                                        • Number of non-executed functions: 113
                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                        • Connection to analysis system has been lost, crash info: Unknown
                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe, svchost.exe
                                                                                                                                                                                                                        • Execution Graph export aborted for target E636.exe, PID 4476 because there are no executed function
                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive
                                                                                                                                                                                                                        • VT rate limit hit for: 5GOuTtZoQn.exe

                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                        07:27:27API Interceptor1x Sleep call for process: MpCmdRun.exe modified
                                                                                                                                                                                                                        07:27:27API Interceptor156016x Sleep call for process: explorer.exe modified
                                                                                                                                                                                                                        07:27:50API Interceptor9x Sleep call for process: E636.exe modified
                                                                                                                                                                                                                        07:29:53API Interceptor1x Sleep call for process: GamePall.exe modified
                                                                                                                                                                                                                        12:27:33Task SchedulerRun new task: Firefox Default Browser Agent 9702C14AC0E093F2 path: C:\Users\user\AppData\Roaming\wdugfia
                                                                                                                                                                                                                        12:29:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        12:30:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\huge[1].dat

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):107232830
                                                                                                                                                                                                                        Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                        MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                        SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                        SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                        SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\2DF0.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):578048
                                                                                                                                                                                                                        Entropy (8bit):6.297510031778876
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                                                                                                                                                                                                                        MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                        SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                                                                                                                                                                                                                        SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                                                                                                                                                                                                                        SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 54%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\AD6.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):293869
                                                                                                                                                                                                                        Entropy (8bit):5.61569579822855
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                                                                                                                                                                                                                        MD5:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                        SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                                                                                                                                                                                                                        SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                                                                                                                                                                                                                        SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 21%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\E636.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):6642176
                                                                                                                                                                                                                        Entropy (8bit):7.866419732571782
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                                                                                                                                                                                                                        MD5:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                        SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                                                                                                                                                                                                                        SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                                                                                                                                                                                                                        SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 68%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsg4CAD.tmp

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):358363995
                                                                                                                                                                                                                        Entropy (8bit):6.972150585647623
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                                                                                                                                                                                                                        MD5:5F9D89B40243E83C0B48206CE4EB77D1
                                                                                                                                                                                                                        SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                                                                                                                                                                                                                        SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                                                                                                                                                                                                                        SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\liteFirewall.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):82944
                                                                                                                                                                                                                        Entropy (8bit):6.389604568119155
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                                                                                                                                                                                        MD5:165E1EF5C79475E8C33D19A870E672D4
                                                                                                                                                                                                                        SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                                                                                                                                                                                        SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                                                                                                                                                                                        SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\INetC.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):22016
                                                                                                                                                                                                                        Entropy (8bit):5.668346578219837
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                                                                                                                                                                                        MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                                                                                                                                                                                        SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                                                                                                                                                                                        SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                                                                                                                                                                                        SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\blowfish.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):22528
                                                                                                                                                                                                                        Entropy (8bit):6.674611218414922
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                                                                                                                                                                                        MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                                                                                                                                                                                        SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                                                                                                                                                                                        SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                                                                                                                                                                                        SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 5%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\nsoA0C.tmp\nsProcess.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4608
                                                                                                                                                                                                                        Entropy (8bit):4.666004851298707
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                                                                                                                                                                                        MD5:FAA7F034B38E729A983965C04CC70FC1
                                                                                                                                                                                                                        SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                                                                                                                                                                                        SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                                                                                                                                                                                        SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\setup.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):107232830
                                                                                                                                                                                                                        Entropy (8bit):7.999946456161068
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                                                                                                                                                                                        MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                        SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                                                                                                                                                                                        SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                                                                                                                                                                                        SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                        MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                        SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                        SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                        SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                        Entropy (8bit):8.736218952347586E-4
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:LsNl63st:Ls3cst
                                                                                                                                                                                                                        MD5:BE6E950CE9A805BDA11B408CFF237135
                                                                                                                                                                                                                        SHA1:BD6846156686D325DAA24432D22B4259BC61539E
                                                                                                                                                                                                                        SHA-256:7D3E8228A604D356952117E8E8A3A63C0EEDF371FAADC55DCBE4C1603F1B9607
                                                                                                                                                                                                                        SHA-512:F93BF3C767697DBECC373811C6A8FAF8D472DCC4EF22E6881A17ED36999A7C382DFEEAF333EE5800E45C165242A565E7C8DE0BADCC87D9B72CE5934C9F323DB7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.............................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):4.622398838808078
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                                                                                                                                                                                        MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                                                                                                                                                                                        SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                                                                                                                                                                                        SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                                                                                                                                                                                        SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 7%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.01057775872642915
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsFl:/F
                                                                                                                                                                                                                        MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                                                                                                                                                                                        SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                                                                                                                                                                                        SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                                                                                                                                                                                        SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.012096502606932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsEllllkXl:/M/6
                                                                                                                                                                                                                        MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                                                                                                                                                                                        SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                                                                                                                                                                                        SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                                                                                                                                                                                        SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.011852361981932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsHlDll:/H
                                                                                                                                                                                                                        MD5:0962291D6D367570BEE5454721C17E11
                                                                                                                                                                                                                        SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                                                                                                                                                                                        SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                                                                                                                                                                                        SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8192
                                                                                                                                                                                                                        Entropy (8bit):0.012340643231932763
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:MsGl3ll:/y
                                                                                                                                                                                                                        MD5:41876349CB12D6DB992F1309F22DF3F0
                                                                                                                                                                                                                        SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                                                                                                                                                                                        SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                                                                                                                                                                                        SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):262512
                                                                                                                                                                                                                        Entropy (8bit):9.553120663130604E-4
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3:LsNljj3R+/:Ls3M/
                                                                                                                                                                                                                        MD5:E8821D8716533DCB4137DCA7389B800C
                                                                                                                                                                                                                        SHA1:ECFF0AED90107735857D12D25795BD6FB220329D
                                                                                                                                                                                                                        SHA-256:2190E484A5CADAFBD5320258E72C2F84B5F6427F2287C416DC14198610F86521
                                                                                                                                                                                                                        SHA-512:6E0ED4C49D4CBF1381B976550868A9D94B31BBBF8635A555EE5F5E5E678C5E822704308566EF4140E73A7FC576FEC8742595985441D0F50854AAE3CC0B3BE2FB
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:...........................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):296448
                                                                                                                                                                                                                        Entropy (8bit):5.660420770467009
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                                                                                                                                                                                                                        MD5:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                                                                                                                                                                                                                        SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                                                                                                                                                                                                                        SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):462336
                                                                                                                                                                                                                        Entropy (8bit):6.803831500359682
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                                                                                                                                                                                        MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                                                                                                                                                                                        SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                                                                                                                                                                                        SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                                                                                                                                                                                        SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):574376
                                                                                                                                                                                                                        Entropy (8bit):5.8881470355864725
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                                                                                                                                                                                        MD5:8F81C9520104B730C25D90A9DD511148
                                                                                                                                                                                                                        SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                                                                                                                                                                                        SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                                                                                                                                                                                        SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):561424
                                                                                                                                                                                                                        Entropy (8bit):4.606896607960262
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                                                                                                                                                                                        MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                                                                                                                                                                                        SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                                                                                                                                                                                        SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                                                                                                                                                                                        SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):215862
                                                                                                                                                                                                                        Entropy (8bit):5.849338245796311
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                                                                                                                                                                                                                        MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                                                                                                                                                                                                                        SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                                                                                                                                                                                                                        SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                                                                                                                                                                                                                        SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):875520
                                                                                                                                                                                                                        Entropy (8bit):5.621956468920589
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                                                                                                                                                                                        MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                                                                                                                                                                                        SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                                                                                                                                                                                        SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                                                                                                                                                                                        SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1946739
                                                                                                                                                                                                                        Entropy (8bit):7.989700491058983
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                                                                                                                                                                                        MD5:96AD47D78A70B33158961585D9154ECC
                                                                                                                                                                                                                        SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                                                                                                                                                                                        SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                                                                                                                                                                                        SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):214119
                                                                                                                                                                                                                        Entropy (8bit):7.955451054538398
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                                                                                                                                                                                        MD5:391F512173ECEC14EB5CE31299858DE1
                                                                                                                                                                                                                        SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                                                                                                                                                                                        SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                                                                                                                                                                                        SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):290001
                                                                                                                                                                                                                        Entropy (8bit):7.9670215100557735
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                                                                                                                                                                                        MD5:BF59A047984EAFC79E40B0011ED4116D
                                                                                                                                                                                                                        SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                                                                                                                                                                                        SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                                                                                                                                                                                        SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1305142
                                                                                                                                                                                                                        Entropy (8bit):7.99463351416358
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                                                                                                                                                                                        MD5:20DDA02AF522924E45223D7262D0E1ED
                                                                                                                                                                                                                        SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                                                                                                                                                                                        SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                                                                                                                                                                                        SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:current ar archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):87182312
                                                                                                                                                                                                                        Entropy (8bit):5.477474753748716
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                                                                                                                                                                                        MD5:FFD456A85E341D430AFA0C07C1068538
                                                                                                                                                                                                                        SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                                                                                                                                                                                        SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                                                                                                                                                                                        SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):656926
                                                                                                                                                                                                                        Entropy (8bit):7.964275415195004
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3404DD2B0E63D9418F755430336C7164
                                                                                                                                                                                                                        SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                                                                                                                                                                                        SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                                                                                                                                                                                        SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1017158
                                                                                                                                                                                                                        Entropy (8bit):7.951759131641406
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3FBF52922588A52245DC927BCC36DBB3
                                                                                                                                                                                                                        SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                                                                                                                                                                                        SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                                                                                                                                                                                        SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1174528
                                                                                                                                                                                                                        Entropy (8bit):6.475826085865088
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                                                                                                                                                                                        SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                                                                                                                                                                                        SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                                                                                                                                                                                        SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2106216
                                                                                                                                                                                                                        Entropy (8bit):6.4563314852745375
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                                                                                                                                                                                        SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                                                                                                                                                                                        SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                                                                                                                                                                                        SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4127200
                                                                                                                                                                                                                        Entropy (8bit):6.577665867424953
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                                                                                                                                                                                        SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                                                                                                                                                                                        SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                                                                                                                                                                                        SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2205743
                                                                                                                                                                                                                        Entropy (8bit):7.923318114432295
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                                                                                                                                                                                        SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                                                                                                                                                                                        SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                                                                                                                                                                                        SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):10717392
                                                                                                                                                                                                                        Entropy (8bit):6.282534560973548
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                                                                                                                                                                                        SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                                                                                                                                                                                        SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                                                                                                                                                                                        SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):377856
                                                                                                                                                                                                                        Entropy (8bit):6.602916265542373
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                                                                                                                                                                                        SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                                                                                                                                                                                        SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                                                                                                                                                                                        SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):6635008
                                                                                                                                                                                                                        Entropy (8bit):6.832077162910607
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:63988D35D7AB96823B5403BE3C110F7F
                                                                                                                                                                                                                        SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                                                                                                                                                                                        SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                                                                                                                                                                                        SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):176517632
                                                                                                                                                                                                                        Entropy (8bit):7.025874989859836
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                                                                                                                                                                                        SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                                                                                                                                                                                        SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                                                                                                                                                                                        SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:current ar archive
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):40258
                                                                                                                                                                                                                        Entropy (8bit):4.547436244061504
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                                                                                                                                                                                        SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                                                                                                                                                                                        SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                                                                                                                                                                                        SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):470498
                                                                                                                                                                                                                        Entropy (8bit):5.409080468053459
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                                                                                                                                                                                        SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                                                                                                                                                                                        SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                                                                                                                                                                                        SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):763010
                                                                                                                                                                                                                        Entropy (8bit):4.909167677028143
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                                                                                                                                                                                        SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                                                                                                                                                                                        SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                                                                                                                                                                                        SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):838413
                                                                                                                                                                                                                        Entropy (8bit):4.920788245468804
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:C70B71B05A8CA5B8243C951B96D67453
                                                                                                                                                                                                                        SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                                                                                                                                                                                        SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                                                                                                                                                                                        SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):869469
                                                                                                                                                                                                                        Entropy (8bit):4.677916300869337
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:12A9400F521EC1D3975257B2061F5790
                                                                                                                                                                                                                        SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                                                                                                                                                                                        SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                                                                                                                                                                                        SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1118348
                                                                                                                                                                                                                        Entropy (8bit):4.2989199535081895
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:89A24AF99D5592AB8964B701F13E1706
                                                                                                                                                                                                                        SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                                                                                                                                                                                        SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                                                                                                                                                                                        SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):537139
                                                                                                                                                                                                                        Entropy (8bit):5.397688491907634
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                                                                                                                                                                                        SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                                                                                                                                                                                        SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                                                                                                                                                                                        SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):545011
                                                                                                                                                                                                                        Entropy (8bit):5.844949195905198
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                                                                                                                                                                                        SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                                                                                                                                                                                        SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                                                                                                                                                                                        SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):496165
                                                                                                                                                                                                                        Entropy (8bit):5.446061543230436
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                                                                                                                                                                                        SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                                                                                                                                                                                        SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                                                                                                                                                                                        SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):534726
                                                                                                                                                                                                                        Entropy (8bit):5.49306456316532
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:49CA708EBB7A4913C36F7461F094886B
                                                                                                                                                                                                                        SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                                                                                                                                                                                        SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                                                                                                                                                                                        SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):950999
                                                                                                                                                                                                                        Entropy (8bit):4.76377388695373
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                                                                                                                                                                                        SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                                                                                                                                                                                        SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                                                                                                                                                                                        SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):430665
                                                                                                                                                                                                                        Entropy (8bit):5.517246002357965
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                                                                                                                                                                                        SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                                                                                                                                                                                        SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                                                                                                                                                                                        SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):434598
                                                                                                                                                                                                                        Entropy (8bit):5.509004494756697
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                                                                                                                                                                                        SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                                                                                                                                                                                        SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                                                                                                                                                                                        SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):524728
                                                                                                                                                                                                                        Entropy (8bit):5.377464936206393
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                                                                                                                                                                                        SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                                                                                                                                                                                        SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                                                                                                                                                                                        SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):523181
                                                                                                                                                                                                                        Entropy (8bit):5.356449408331279
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3D1720FE1D801D54420438A54CBE1547
                                                                                                                                                                                                                        SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                                                                                                                                                                                        SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                                                                                                                                                                                        SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):475733
                                                                                                                                                                                                                        Entropy (8bit):5.456553040437113
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                                                                                                                                                                                        SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                                                                                                                                                                                        SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                                                                                                                                                                                        SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):773397
                                                                                                                                                                                                                        Entropy (8bit):5.04618630633187
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:C998140F7970B81117B073A87430A748
                                                                                                                                                                                                                        SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                                                                                                                                                                                        SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                                                                                                                                                                                        SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):483378
                                                                                                                                                                                                                        Entropy (8bit):5.428549632880935
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                                                                                                                                                                                        SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                                                                                                                                                                                        SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                                                                                                                                                                                        SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):546749
                                                                                                                                                                                                                        Entropy (8bit):5.197094281578282
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                                                                                                                                                                                        SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                                                                                                                                                                                        SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                                                                                                                                                                                        SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):568277
                                                                                                                                                                                                                        Entropy (8bit):5.380723339968972
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                                                                                                                                                                                        SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                                                                                                                                                                                        SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                                                                                                                                                                                        SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1103776
                                                                                                                                                                                                                        Entropy (8bit):4.336526106451521
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:44F704DB17F0203FA5195DC4572C946C
                                                                                                                                                                                                                        SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                                                                                                                                                                                        SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                                                                                                                                                                                        SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):681555
                                                                                                                                                                                                                        Entropy (8bit):4.658620623200349
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:E75086A24ECAA25CD18D547AB041C65A
                                                                                                                                                                                                                        SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                                                                                                                                                                                        SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                                                                                                                                                                                        SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1167065
                                                                                                                                                                                                                        Entropy (8bit):4.308980564019689
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                                                                                                                                                                                        SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                                                                                                                                                                                        SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                                                                                                                                                                                        SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):526575
                                                                                                                                                                                                                        Entropy (8bit):5.518614920030561
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                                                                                                                                                                                        SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                                                                                                                                                                                        SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                                                                                                                                                                                        SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):566819
                                                                                                                                                                                                                        Entropy (8bit):5.6387082185760935
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                                                                                                                                                                                        SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                                                                                                                                                                                        SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                                                                                                                                                                                        SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):466959
                                                                                                                                                                                                                        Entropy (8bit):5.379636778781472
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:1466C484179769A2263542E943742E59
                                                                                                                                                                                                                        SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                                                                                                                                                                                        SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                                                                                                                                                                                        SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):522800
                                                                                                                                                                                                                        Entropy (8bit):5.284113957149261
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                                                                                                                                                                                        SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                                                                                                                                                                                        SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                                                                                                                                                                                        SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):634636
                                                                                                                                                                                                                        Entropy (8bit):5.718480148171718
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                                                                                                                                                                                        SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                                                                                                                                                                                        SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                                                                                                                                                                                        SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1256908
                                                                                                                                                                                                                        Entropy (8bit):4.247594585839553
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                                                                                                                                                                                        SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                                                                                                                                                                                        SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                                                                                                                                                                                        SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):532715
                                                                                                                                                                                                                        Entropy (8bit):6.0824169765918725
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                                                                                                                                                                                        SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                                                                                                                                                                                        SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                                                                                                                                                                                        SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):573015
                                                                                                                                                                                                                        Entropy (8bit):5.63016577624216
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:8745B87D09D9ECC1112C60F5DD934034
                                                                                                                                                                                                                        SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                                                                                                                                                                                        SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                                                                                                                                                                                        SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):570683
                                                                                                                                                                                                                        Entropy (8bit):5.624052036286866
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                                                                                                                                                                                        SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                                                                                                                                                                                        SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                                                                                                                                                                                        SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1307271
                                                                                                                                                                                                                        Entropy (8bit):4.279854356980692
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:309E068B4E15157486D095301370B234
                                                                                                                                                                                                                        SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                                                                                                                                                                                        SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                                                                                                                                                                                        SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1075591
                                                                                                                                                                                                                        Entropy (8bit):4.313573412022857
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                                                                                                                                                                                        SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                                                                                                                                                                                        SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                                                                                                                                                                                        SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):489457
                                                                                                                                                                                                                        Entropy (8bit):5.250540323172458
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:A1253E64F8910162B15B56883798E3C0
                                                                                                                                                                                                                        SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                                                                                                                                                                                        SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                                                                                                                                                                                        SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):476208
                                                                                                                                                                                                                        Entropy (8bit):5.4272499712806965
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                                                                                                                                                                                        SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                                                                                                                                                                                        SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                                                                                                                                                                                        SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):491139
                                                                                                                                                                                                                        Entropy (8bit):5.362822162782947
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:C8378A81039DB6943F97286CC8C629F1
                                                                                                                                                                                                                        SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                                                                                                                                                                                        SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                                                                                                                                                                                        SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):550453
                                                                                                                                                                                                                        Entropy (8bit):5.757462673735937
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                                                                                                                                                                                        SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                                                                                                                                                                                        SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                                                                                                                                                                                        SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):516256
                                                                                                                                                                                                                        Entropy (8bit):5.426294949123783
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3BA426E91C34E1C33F13912974835F7D
                                                                                                                                                                                                                        SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                                                                                                                                                                                        SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                                                                                                                                                                                        SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):518861
                                                                                                                                                                                                                        Entropy (8bit):5.4029194034596575
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                                                                                                                                                                                        SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                                                                                                                                                                                        SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                                                                                                                                                                                        SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):537125
                                                                                                                                                                                                                        Entropy (8bit):5.4566742297332596
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                                                                                                                                                                                        SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                                                                                                                                                                                        SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                                                                                                                                                                                        SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):878725
                                                                                                                                                                                                                        Entropy (8bit):4.848685093578222
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3A3D0D865A78399306924D3ED058274E
                                                                                                                                                                                                                        SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                                                                                                                                                                                        SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                                                                                                                                                                                        SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):553886
                                                                                                                                                                                                                        Entropy (8bit):5.812150703289796
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:A9656846F66A36BB399B65F7B702B47D
                                                                                                                                                                                                                        SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                                                                                                                                                                                        SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                                                                                                                                                                                        SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):532410
                                                                                                                                                                                                                        Entropy (8bit):5.486224954097277
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                                                                                                                                                                                        SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                                                                                                                                                                                        SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                                                                                                                                                                                        SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):818089
                                                                                                                                                                                                                        Entropy (8bit):4.779985663253385
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                                                                                                                                                                                        SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                                                                                                                                                                                        SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                                                                                                                                                                                        SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):479512
                                                                                                                                                                                                                        Entropy (8bit):5.541069475898216
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:09592A0D35100CD9707C278C9FFC7618
                                                                                                                                                                                                                        SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                                                                                                                                                                                        SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                                                                                                                                                                                        SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):504856
                                                                                                                                                                                                                        Entropy (8bit):5.34516819438501
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:9E038A0D222055FED6F1883992DCA5A8
                                                                                                                                                                                                                        SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                                                                                                                                                                                        SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                                                                                                                                                                                        SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1298313
                                                                                                                                                                                                                        Entropy (8bit):4.058495187693592
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                                                                                                                                                                                        SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                                                                                                                                                                                        SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                                                                                                                                                                                        SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1199612
                                                                                                                                                                                                                        Entropy (8bit):4.314031920337284
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:98714389748A98ECC536CD2F17859BDF
                                                                                                                                                                                                                        SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                                                                                                                                                                                        SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                                                                                                                                                                                        SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1008989
                                                                                                                                                                                                                        Entropy (8bit):4.356501290091745
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:56F29DE3465795E781A52FCF736BBE08
                                                                                                                                                                                                                        SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                                                                                                                                                                                        SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                                                                                                                                                                                        SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):515329
                                                                                                                                                                                                                        Entropy (8bit):5.616482888977033
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:46CA9EE922C3C175DE466066F40B29CE
                                                                                                                                                                                                                        SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                                                                                                                                                                                        SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                                                                                                                                                                                        SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):876131
                                                                                                                                                                                                                        Entropy (8bit):4.88404350774067
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:1365ABDD1EFB44720EA3975E4A472530
                                                                                                                                                                                                                        SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                                                                                                                                                                                        SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                                                                                                                                                                                        SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):765853
                                                                                                                                                                                                                        Entropy (8bit):5.17061834928747
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                                                                                                                                                                                        SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                                                                                                                                                                                        SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                                                                                                                                                                                        SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):609259
                                                                                                                                                                                                                        Entropy (8bit):5.796202390024141
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                                                                                                                                                                                        SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                                                                                                                                                                                        SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                                                                                                                                                                                        SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):441207
                                                                                                                                                                                                                        Entropy (8bit):6.685712707138377
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                                                                                                                                                                                        SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                                                                                                                                                                                        SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                                                                                                                                                                                        SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):439630
                                                                                                                                                                                                                        Entropy (8bit):6.6906570508767995
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:BB7C995F257B9125457381BB01856D72
                                                                                                                                                                                                                        SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                                                                                                                                                                                        SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                                                                                                                                                                                        SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):275968
                                                                                                                                                                                                                        Entropy (8bit):5.778490068583466
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                                                                                                                                                                                        SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                                                                                                                                                                                        SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                                                                                                                                                                                        SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):1547797
                                                                                                                                                                                                                        Entropy (8bit):4.370092880615517
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                                                                                                                                                                                        SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                                                                                                                                                                                        SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                                                                                                                                                                                        SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):342741
                                                                                                                                                                                                                        Entropy (8bit):5.496697631795104
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                                                                                                                                                                                        SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                                                                                                                                                                                        SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                                                                                                                                                                                        SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):8226870
                                                                                                                                                                                                                        Entropy (8bit):7.996842728494533
                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                                                                                                                                                                                        SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                                                                                                                                                                                        SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                                                                                                                                                                                        SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):276319
                                                                                                                                                                                                                        Entropy (8bit):4.242318669799302
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:8234983533FA47D2A1D7710FF8274299
                                                                                                                                                                                                                        SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                                                                                                                                                                                        SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                                                                                                                                                                                        SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                                        Entropy (8bit):3.8731406795131327
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                                                                                                                                                                                                                        SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                                                                                                                                                                                                                        SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                                                                                                                                                                                                                        SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:start GamePall.exe OuWe5kl

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2059776
                                                                                                                                                                                                                        Entropy (8bit):4.067542396670122
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                                                                                                                                                                                        SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                                                                                                                                                                                        SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                                                                                                                                                                                        SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):346624
                                                                                                                                                                                                                        Entropy (8bit):6.54104466243173
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                                                                                                                                                                                        SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                                                                                                                                                                                        SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                                                                                                                                                                                        SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):2445312
                                                                                                                                                                                                                        Entropy (8bit):6.750207745422387
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:334C3157E63A34B22CCE25A44A04835F
                                                                                                                                                                                                                        SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                                                                                                                                                                                        SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                                                                                                                                                                                        SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):631017
                                                                                                                                                                                                                        Entropy (8bit):5.144793130466209
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                                                                                                                                                                                        SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                                                                                                                                                                                        SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                                                                                                                                                                                        SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):4400640
                                                                                                                                                                                                                        Entropy (8bit):6.667314807988382
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:7F913E31D00082338F073EF60D67B335
                                                                                                                                                                                                                        SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                                                                                                                                                                                        SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                                                                                                                                                                                        SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):106
                                                                                                                                                                                                                        Entropy (8bit):4.724752649036734
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                                                        SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                                                        SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                                                        SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):826368
                                                                                                                                                                                                                        Entropy (8bit):6.78646032943732
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:A031EB19C61942A26EF74500AD4B42DF
                                                                                                                                                                                                                        SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                                                                                                                                                                                        SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                                                                                                                                                                                        SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):211456
                                                                                                                                                                                                                        Entropy (8bit):6.566524833521835
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                                                                                                                                                                                        SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                                                                                                                                                                                        SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                                                                                                                                                                                        SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\wdugfia

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):284672
                                                                                                                                                                                                                        Entropy (8bit):5.557084591006534
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:5F93B2E5FAF3721C176353FD8AB82F9D
                                                                                                                                                                                                                        SHA1:85B6C685A5A88E8E25385A73330DEFA2A3C9F373
                                                                                                                                                                                                                        SHA-256:7FC4847438A3867AB9380525626D0CECE5F31BD4D148864E4168616C182F7B6E
                                                                                                                                                                                                                        SHA-512:1AB0AE7EFF5A0E0D588E6D85BB31C47B5E7E064842599CFEE58E065CEDDB0C1864965C6C4662174521778B56D4E266CE8252D4B6373B81858E32481CB9ADF426
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 61%
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{...}..}..}..}..}..}...}..}...}.An}..}..}...}..}..}..}..}..}..}Rich..}........................PE..L...8..d............................P.............@.........................................................................,_..x....0..8............................................................................................................text...`........................... ..`.rdata..f...........................@..@.data... ....p.......Z..............@....rsrc...8....0.......x..............@..@................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\wdugfia:Zone.Identifier

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Windows\explorer.exe
                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                        Size (bytes):26
                                                                                                                                                                                                                        Entropy (8bit):3.95006375643621
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                                                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                                                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                                                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                                                                                        C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                        Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                        Size (bytes):4926
                                                                                                                                                                                                                        Entropy (8bit):3.2419838832995858
                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                        SSDEEP:
                                                                                                                                                                                                                        MD5:24A7B3DFDE10C68E8534638E8C10D357
                                                                                                                                                                                                                        SHA1:8CF5D31253BE9E2DF467347E7C8B8A1AA6E54A71
                                                                                                                                                                                                                        SHA-256:E03458CC8914BA6E6FFAB5F3F6BF41A64EF57EDC1F04FB6080F453DADF55302A
                                                                                                                                                                                                                        SHA-512:CCC9A7722CE6D65F4FFD7EF8210D0264F4E8FA6C4CAB653200EBD349E074B8476CBE15F5C46E342D9D03EDEE9D97A41769CFAC1C7DA51FBD07DCE2DF224CF140
                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                        Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. W.e.d. .. O.c.t. .. 0.4. .. 2.0.2.3. .1.2.:.0.3.:.4.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                        Entropy (8bit):5.557084591006534
                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                        • Win32 Executable (generic) a (10002005/4) 99.53%
                                                                                                                                                                                                                        • InstallShield setup (43055/19) 0.43%
                                                                                                                                                                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                                                        File name:5GOuTtZoQn.exe
                                                                                                                                                                                                                        File size:284'672 bytes
                                                                                                                                                                                                                        MD5:5f93b2e5faf3721c176353fd8ab82f9d
                                                                                                                                                                                                                        SHA1:85b6c685a5a88e8e25385a73330defa2a3c9f373
                                                                                                                                                                                                                        SHA256:7fc4847438a3867ab9380525626d0cece5f31bd4d148864e4168616c182f7b6e
                                                                                                                                                                                                                        SHA512:1ab0ae7eff5a0e0d588e6d85bb31c47b5e7e064842599cfee58e065ceddb0c1864965c6c4662174521778b56d4e266ce8252d4b6373b81858e32481cb9adf426
                                                                                                                                                                                                                        SSDEEP:3072:Qs5CLMAaLn4fiRoDThD9A/cDIAGCjoZ/y5G1+ZtQXGumXvH/ddkxrj:PQLMAajfY9McDnZMZ/QZtQyXvarj
                                                                                                                                                                                                                        TLSH:8C54E59375F1A815E2A34B305F3BA6EC3B3F78B26D20437A61102E1A5B756A1E943713
                                                                                                                                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........{....}...}...}...}...}...}...}...}...}.An}...}...}...}...}...}...}...}...}...}Rich...}........................PE..L...8..d...

                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                        Icon Hash:1723352529170717

                                                                                                                                                                                                                        Static PE Info

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Entrypoint:0x401a50
                                                                                                                                                                                                                        Entrypoint Section:.text
                                                                                                                                                                                                                        Digitally signed:false
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        Subsystem:windows gui
                                                                                                                                                                                                                        Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                        DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                        Time Stamp:0x64A3A938 [Tue Jul 4 05:08:08 2023 UTC]
                                                                                                                                                                                                                        TLS Callbacks:
                                                                                                                                                                                                                        CLR (.Net) Version:
                                                                                                                                                                                                                        OS Version Major:5
                                                                                                                                                                                                                        OS Version Minor:0
                                                                                                                                                                                                                        File Version Major:5
                                                                                                                                                                                                                        File Version Minor:0
                                                                                                                                                                                                                        Subsystem Version Major:5
                                                                                                                                                                                                                        Subsystem Version Minor:0
                                                                                                                                                                                                                        Import Hash:9ab579f0940038199ed136d401eb2211

                                                                                                                                                                                                                        Entrypoint Preview

                                                                                                                                                                                                                        Instruction
                                                                                                                                                                                                                        call 00007F4924C7EBE0h
                                                                                                                                                                                                                        jmp 00007F4924C79FFEh
                                                                                                                                                                                                                        mov edi, edi
                                                                                                                                                                                                                        push ebp
                                                                                                                                                                                                                        mov ebp, esp
                                                                                                                                                                                                                        sub esp, 00000328h
                                                                                                                                                                                                                        mov dword ptr [004288F8h], eax
                                                                                                                                                                                                                        mov dword ptr [004288F4h], ecx
                                                                                                                                                                                                                        mov dword ptr [004288F0h], edx
                                                                                                                                                                                                                        mov dword ptr [004288ECh], ebx
                                                                                                                                                                                                                        mov dword ptr [004288E8h], esi
                                                                                                                                                                                                                        mov dword ptr [004288E4h], edi
                                                                                                                                                                                                                        mov word ptr [00428910h], ss
                                                                                                                                                                                                                        mov word ptr [00428904h], cs
                                                                                                                                                                                                                        mov word ptr [004288E0h], ds
                                                                                                                                                                                                                        mov word ptr [004288DCh], es
                                                                                                                                                                                                                        mov word ptr [004288D8h], fs
                                                                                                                                                                                                                        mov word ptr [004288D4h], gs
                                                                                                                                                                                                                        pushfd
                                                                                                                                                                                                                        pop dword ptr [00428908h]
                                                                                                                                                                                                                        mov eax, dword ptr [ebp+00h]
                                                                                                                                                                                                                        mov dword ptr [004288FCh], eax
                                                                                                                                                                                                                        mov eax, dword ptr [ebp+04h]
                                                                                                                                                                                                                        mov dword ptr [00428900h], eax
                                                                                                                                                                                                                        lea eax, dword ptr [ebp+08h]
                                                                                                                                                                                                                        mov dword ptr [0042890Ch], eax
                                                                                                                                                                                                                        mov eax, dword ptr [ebp-00000320h]
                                                                                                                                                                                                                        mov dword ptr [00428848h], 00010001h
                                                                                                                                                                                                                        mov eax, dword ptr [00428900h]
                                                                                                                                                                                                                        mov dword ptr [004287FCh], eax
                                                                                                                                                                                                                        mov dword ptr [004287F0h], C0000409h
                                                                                                                                                                                                                        mov dword ptr [004287F4h], 00000001h
                                                                                                                                                                                                                        mov eax, dword ptr [00427004h]
                                                                                                                                                                                                                        mov dword ptr [ebp-00000328h], eax
                                                                                                                                                                                                                        mov eax, dword ptr [00427008h]
                                                                                                                                                                                                                        mov dword ptr [ebp-00000324h], eax
                                                                                                                                                                                                                        call dword ptr [000000B8h]

                                                                                                                                                                                                                        Rich Headers

                                                                                                                                                                                                                        Programming Language:
                                                                                                                                                                                                                        • [C++] VS2008 build 21022
                                                                                                                                                                                                                        • [ASM] VS2008 build 21022
                                                                                                                                                                                                                        • [ C ] VS2008 build 21022
                                                                                                                                                                                                                        • [IMP] VS2005 build 50727
                                                                                                                                                                                                                        • [RES] VS2008 build 21022
                                                                                                                                                                                                                        • [LNK] VS2008 build 21022

                                                                                                                                                                                                                        Data Directories

                                                                                                                                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x25f2c0x78.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1f430000x1de38.rsrc
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0xb0000x198.rdata
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                        Sections

                                                                                                                                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                        .text0x10000x9b600x9c00934d4e185905da48b84b8744c6dd9ddbFalse0.6057942708333334data6.596345799435614IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .rdata0xb0000x1b8660x1ba00b069e4803fd63b6d1c0904142f5fb1f9False0.5057533229638009OpenPGP Public Key Version 25.1495284540279025IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                        .data0x270000x1f1bc200x1e00e3e20201ba23540af55e3b37cb756963unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                        .rsrc0x1f430000x1de380x1e0008fe2c2c1e12ce75c44aacc30cee1eddaFalse0.45990397135416666data5.197860086566417IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                        Resources

                                                                                                                                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                        RT_CURSOR0x1f5a5600x130Device independent bitmap graphic, 32 x 64 x 1, image size 00.4276315789473684
                                                                                                                                                                                                                        RT_ICON0x1f43af00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsTurkishTurkey0.6066098081023454
                                                                                                                                                                                                                        RT_ICON0x1f449980x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsTurkishTurkey0.6872743682310469
                                                                                                                                                                                                                        RT_ICON0x1f452400x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsTurkishTurkey0.7419354838709677
                                                                                                                                                                                                                        RT_ICON0x1f459080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsTurkishTurkey0.7890173410404624
                                                                                                                                                                                                                        RT_ICON0x1f45e700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216TurkishTurkey0.5868257261410789
                                                                                                                                                                                                                        RT_ICON0x1f484180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096TurkishTurkey0.7152908067542214
                                                                                                                                                                                                                        RT_ICON0x1f494c00x988Device independent bitmap graphic, 24 x 48 x 32, image size 2304TurkishTurkey0.7241803278688524
                                                                                                                                                                                                                        RT_ICON0x1f49e480x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024TurkishTurkey0.8687943262411347
                                                                                                                                                                                                                        RT_ICON0x1f4a3280xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.3736673773987207
                                                                                                                                                                                                                        RT_ICON0x1f4b1d00x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.47382671480144406
                                                                                                                                                                                                                        RT_ICON0x1f4ba780x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5149769585253456
                                                                                                                                                                                                                        RT_ICON0x1f4c1400x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.5361271676300579
                                                                                                                                                                                                                        RT_ICON0x1f4c6a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.399792531120332
                                                                                                                                                                                                                        RT_ICON0x1f4ec500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.41322701688555347
                                                                                                                                                                                                                        RT_ICON0x1f4fcf80x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.4618852459016393
                                                                                                                                                                                                                        RT_ICON0x1f506800x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.4716312056737589
                                                                                                                                                                                                                        RT_ICON0x1f50b600xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.28171641791044777
                                                                                                                                                                                                                        RT_ICON0x1f51a080x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.427797833935018
                                                                                                                                                                                                                        RT_ICON0x1f522b00x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.5558755760368663
                                                                                                                                                                                                                        RT_ICON0x1f529780x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.5802023121387283
                                                                                                                                                                                                                        RT_ICON0x1f52ee00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0TurkishTurkey0.1817427385892116
                                                                                                                                                                                                                        RT_ICON0x1f554880x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.27909836065573773
                                                                                                                                                                                                                        RT_ICON0x1f55e100x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.2828014184397163
                                                                                                                                                                                                                        RT_ICON0x1f562e00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0TurkishTurkey0.4157782515991471
                                                                                                                                                                                                                        RT_ICON0x1f571880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0TurkishTurkey0.5839350180505415
                                                                                                                                                                                                                        RT_ICON0x1f57a300x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0TurkishTurkey0.6296082949308756
                                                                                                                                                                                                                        RT_ICON0x1f580f80x568Device independent bitmap graphic, 16 x 32 x 8, image size 0TurkishTurkey0.6206647398843931
                                                                                                                                                                                                                        RT_ICON0x1f586600x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0TurkishTurkey0.5039868667917449
                                                                                                                                                                                                                        RT_ICON0x1f597080x988Device independent bitmap graphic, 24 x 48 x 32, image size 0TurkishTurkey0.48565573770491804
                                                                                                                                                                                                                        RT_ICON0x1f5a0900x468Device independent bitmap graphic, 16 x 32 x 32, image size 0TurkishTurkey0.526595744680851
                                                                                                                                                                                                                        RT_STRING0x1f5a8500x84data0.6439393939393939
                                                                                                                                                                                                                        RT_STRING0x1f5a8d80x84data0.5909090909090909
                                                                                                                                                                                                                        RT_STRING0x1f5a9600x796data0.42687950566426364
                                                                                                                                                                                                                        RT_STRING0x1f5b0f80x6f8data0.42937219730941706
                                                                                                                                                                                                                        RT_STRING0x1f5b7f00x686data0.42574850299401196
                                                                                                                                                                                                                        RT_STRING0x1f5be780x1a6data0.5284360189573459
                                                                                                                                                                                                                        RT_STRING0x1f5c0200x7fcdata0.41682974559686886
                                                                                                                                                                                                                        RT_STRING0x1f5c8200x774data0.42348008385744235
                                                                                                                                                                                                                        RT_STRING0x1f5cf980x7ccdata0.4243486973947896
                                                                                                                                                                                                                        RT_STRING0x1f5d7680x4c2data0.45977011494252873
                                                                                                                                                                                                                        RT_STRING0x1f5dc300x788data0.4279045643153527
                                                                                                                                                                                                                        RT_STRING0x1f5e3b80x5b4data0.4452054794520548
                                                                                                                                                                                                                        RT_STRING0x1f5e9700x72edata0.42709466811751906
                                                                                                                                                                                                                        RT_STRING0x1f5f0a00x650data0.43316831683168316
                                                                                                                                                                                                                        RT_STRING0x1f5f6f00x7f4data0.4179764243614931
                                                                                                                                                                                                                        RT_STRING0x1f5fee80x720data0.42653508771929827
                                                                                                                                                                                                                        RT_STRING0x1f606080x7c4data0.42505030181086517
                                                                                                                                                                                                                        RT_STRING0x1f60dd00x62data0.6632653061224489
                                                                                                                                                                                                                        RT_GROUP_CURSOR0x1f5a6900x14data1.15
                                                                                                                                                                                                                        RT_GROUP_ICON0x1f50ae80x76dataTurkishTurkey0.6694915254237288
                                                                                                                                                                                                                        RT_GROUP_ICON0x1f562780x68dataTurkishTurkey0.7115384615384616
                                                                                                                                                                                                                        RT_GROUP_ICON0x1f4a2b00x76dataTurkishTurkey0.6610169491525424
                                                                                                                                                                                                                        RT_GROUP_ICON0x1f5a4f80x68dataTurkishTurkey0.7211538461538461
                                                                                                                                                                                                                        RT_VERSION0x1f5a6a80x1a8data0.5943396226415094

                                                                                                                                                                                                                        Imports

                                                                                                                                                                                                                        DLLImport
                                                                                                                                                                                                                        KERNEL32.dllSetVolumeMountPointW, GetComputerNameW, SetCommBreak, SleepEx, GetCommProperties, GetModuleHandleW, GetTickCount, EnumCalendarInfoExW, GlobalAlloc, GetConsoleAliasExesLengthW, WriteConsoleOutputA, lstrcpynW, GetModuleFileNameW, GetConsoleAliasesW, CreateJobObjectW, GetProcAddress, LoadLibraryA, WriteConsoleA, UnhandledExceptionFilter, InterlockedExchangeAdd, LocalAlloc, AddAtomW, AddAtomA, FoldStringA, lstrcatW, GetConsoleTitleW, BuildCommDCBA, FindFirstVolumeW, AreFileApisANSI, ZombifyActCtx, GetLogicalDriveStringsW, GetLastError, OpenJobObjectA, CreateFileA, WriteConsoleW, MultiByteToWideChar, HeapAlloc, HeapReAlloc, GetStartupInfoW, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, IsDebuggerPresent, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, DeleteCriticalSection, LeaveCriticalSection, EnterCriticalSection, HeapFree, VirtualFree, VirtualAlloc, HeapCreate, Sleep, ExitProcess, WriteFile, GetStdHandle, GetModuleFileNameA, SetHandleCount, GetFileType, GetStartupInfoA, HeapSize, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, LCMapStringA, WideCharToMultiByte, LCMapStringW, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, InitializeCriticalSectionAndSpinCount, RtlUnwind, ReadFile, GetConsoleCP, GetConsoleMode, FlushFileBuffers, SetFilePointer, SetStdHandle, CloseHandle, GetConsoleOutputCP
                                                                                                                                                                                                                        GDI32.dllGetCharWidth32W
                                                                                                                                                                                                                        ADVAPI32.dllEnumDependentServicesW
                                                                                                                                                                                                                        ole32.dllCoTaskMemAlloc
                                                                                                                                                                                                                        WINHTTP.dllWinHttpAddRequestHeaders

                                                                                                                                                                                                                        Possible Origin

                                                                                                                                                                                                                        Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                        TurkishTurkey

                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                        Start time:07:27:02
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\Desktop\5GOuTtZoQn.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\Desktop\5GOuTtZoQn.exe"
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:284'672 bytes
                                                                                                                                                                                                                        MD5 hash:5F93B2E5FAF3721C176353FD8AB82F9D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1854520815.0000000002500000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1854573605.0000000002541000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                        Start time:07:27:14
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Windows\explorer.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                                                                                        Imagebase:0x7ff72b770000
                                                                                                                                                                                                                        File size:5'141'208 bytes
                                                                                                                                                                                                                        MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                        Start time:07:27:26
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                                        Imagebase:0x7ff70d820000
                                                                                                                                                                                                                        File size:468'120 bytes
                                                                                                                                                                                                                        MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                        Start time:07:27:26
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                        Start time:07:27:33
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\wdugfia
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\wdugfia
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:284'672 bytes
                                                                                                                                                                                                                        MD5 hash:5F93B2E5FAF3721C176353FD8AB82F9D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2153894558.0000000003FA0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000005.00000002.2153984228.0000000003FE1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.2153686108.0000000002471000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 61%, ReversingLabs
                                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                        Start time:07:27:47
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\E636.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\E636.exe
                                                                                                                                                                                                                        Imagebase:0x7a0000
                                                                                                                                                                                                                        File size:6'642'176 bytes
                                                                                                                                                                                                                        MD5 hash:BD2EAC64CBDED877608468D86786594A
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2234378949.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2223257274.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2236092761.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2234378949.00000000016FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2264120478.0000000001701000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2212422021.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2235294827.0000000001700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2264560521.0000000001706000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2232951408.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2236092761.0000000001700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2235294827.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2247835335.0000000001700000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000003.2247835335.000000000175F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 68%, ReversingLabs
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                        Start time:07:27:56
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\AD6.exe
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:293'869 bytes
                                                                                                                                                                                                                        MD5 hash:60172CA946DE57C3529E9F05CC502870
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 21%, ReversingLabs
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                        Start time:07:28:02
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\2DF0.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Local\Temp\2DF0.exe
                                                                                                                                                                                                                        Imagebase:0xb00000
                                                                                                                                                                                                                        File size:578'048 bytes
                                                                                                                                                                                                                        MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.2987292224.000000000126C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 54%, ReversingLabs
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                        Start time:07:29:18
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:107'232'830 bytes
                                                                                                                                                                                                                        MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                        Start time:07:29:47
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Imagebase:0x860000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                        • Detection: 100%, Avira
                                                                                                                                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                                                                                                                                        • Detection: 3%, ReversingLabs
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3308 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                                                                                                                                                                                        Imagebase:0x470000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3528 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                        Imagebase:0x300000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:16
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3664 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                                                                                                                                                                                        Imagebase:0x830000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Reputation:moderate
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077579277 --mojo-platform-channel-handle=3760 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                        Imagebase:0xce0000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:18
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/127.1 Mobile/15E148 Safari/605.1.15" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1719999716977116 --launch-time-ticks=7077667358 --mojo-platform-channel-handle=4152 --field-trial-handle=3304,i,784606554325148639,9845247229423355752,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                                                                                                                                                                                        Imagebase:0x10000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:19
                                                                                                                                                                                                                        Start time:07:29:54
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xa50000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                        Start time:07:29:55
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x840000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                        Start time:07:29:56
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x8a0000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                        Start time:07:29:56
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x310000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                        Start time:07:29:59
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x870000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                        Start time:07:29:59
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xc50000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                        Start time:07:29:59
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x750000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                        Start time:07:30:00
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x960000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                        Start time:07:30:00
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x70000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                        Start time:07:30:00
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xb10000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                        Start time:07:30:01
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xa90000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                        Start time:07:30:02
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xc60000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                        Start time:07:30:02
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\wdugfia
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:C:\Users\user\AppData\Roaming\wdugfia
                                                                                                                                                                                                                        Imagebase:0x400000
                                                                                                                                                                                                                        File size:284'672 bytes
                                                                                                                                                                                                                        MD5 hash:5F93B2E5FAF3721C176353FD8AB82F9D
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                        Start time:07:30:02
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x170000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                        Start time:07:30:03
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x450000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                        Start time:07:30:04
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xd30000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                        Start time:07:30:04
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xf90000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                        Start time:07:30:05
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x300000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                        Start time:07:30:06
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x610000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                        Start time:07:30:07
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x960000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                        Start time:07:30:07
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0xf60000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        General

                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                        Start time:07:30:07
                                                                                                                                                                                                                        Start date:03/07/2024
                                                                                                                                                                                                                        Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                        Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                                                                                                                                                                                        Imagebase:0x9e0000
                                                                                                                                                                                                                        File size:296'448 bytes
                                                                                                                                                                                                                        MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                                                                                                                                                                                        Has elevated privileges:false
                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:5.4%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:39.2%
                                                                                                                                                                                                                          Signature Coverage:48%
                                                                                                                                                                                                                          Total number of Nodes:125
                                                                                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                                                                                          execution_graph 4376 403222 4377 4031ee RtlCreateUserThread NtTerminateProcess 4376->4377 4378 403213 4376->4378 4377->4378 4525 402f23 4527 402f44 4525->4527 4526 4019bd 8 API calls 4528 40300b 4526->4528 4527->4526 4527->4528 4416 402f64 4418 402f5b 4416->4418 4419 40300b 4418->4419 4420 4019bd 4418->4420 4421 4019ce 4420->4421 4422 401a06 Sleep 4421->4422 4423 401a21 4422->4423 4425 401a32 4423->4425 4426 4015e9 4423->4426 4425->4419 4427 4015fa 4426->4427 4428 4017b8 4427->4428 4429 40169c NtDuplicateObject 4427->4429 4428->4425 4429->4428 4430 4016b9 NtCreateSection 4429->4430 4431 401739 NtCreateSection 4430->4431 4432 4016df NtMapViewOfSection 4430->4432 4431->4428 4433 401765 4431->4433 4432->4431 4434 401702 NtMapViewOfSection 4432->4434 4433->4428 4435 40176f NtMapViewOfSection 4433->4435 4434->4431 4436 401720 4434->4436 4435->4428 4437 401796 NtMapViewOfSection 4435->4437 4436->4431 4437->4428 4517 4030c5 4518 40321c 4517->4518 4519 4030ef 4517->4519 4519->4518 4520 4031aa RtlCreateUserThread NtTerminateProcess 4519->4520 4520->4518 4533 4019c8 4534 4019cc 4533->4534 4535 401a32 4534->4535 4536 401a06 Sleep 4534->4536 4537 401a21 4536->4537 4537->4535 4538 4015e9 7 API calls 4537->4538 4538->4535 4462 24f0005 4467 24f092b GetPEB 4462->4467 4464 24f0030 4469 24f003c 4464->4469 4468 24f0972 4467->4468 4468->4464 4470 24f0049 4469->4470 4471 24f0e0f 2 API calls 4470->4471 4472 24f0223 4471->4472 4473 24f0d90 GetPEB 4472->4473 4474 24f0238 VirtualAlloc 4473->4474 4475 24f0265 4474->4475 4476 24f02ce VirtualProtect 4475->4476 4478 24f030b 4476->4478 4477 24f0439 VirtualFree 4481 24f04be LoadLibraryA 4477->4481 4478->4477 4480 24f08c7 4481->4480 4539 4019ec 4540 4019e6 4539->4540 4541 401a06 Sleep 4540->4541 4542 401a21 4541->4542 4543 4015e9 7 API calls 4542->4543 4544 401a32 4542->4544 4543->4544 4482 40300e 4483 402ff3 4482->4483 4485 40300b 4482->4485 4484 4019bd 8 API calls 4483->4484 4484->4485 4486 24f0001 4487 24f0005 4486->4487 4488 24f092b GetPEB 4487->4488 4489 24f0030 4488->4489 4490 24f003c 7 API calls 4489->4490 4491 24f0038 4490->4491 4379 25b4248 4382 25b4252 4379->4382 4383 25b4261 4382->4383 4386 25b49f2 4383->4386 4387 25b4a0d 4386->4387 4388 25b4a16 CreateToolhelp32Snapshot 4387->4388 4389 25b4a32 Module32First 4387->4389 4388->4387 4388->4389 4390 25b4a41 4389->4390 4392 25b4251 4389->4392 4393 25b46b1 4390->4393 4394 25b46dc 4393->4394 4395 25b4725 4394->4395 4396 25b46ed VirtualAlloc 4394->4396 4395->4395 4396->4395 4397 24f003c 4398 24f0049 4397->4398 4410 24f0e0f SetErrorMode SetErrorMode 4398->4410 4403 24f0265 4404 24f02ce VirtualProtect 4403->4404 4406 24f030b 4404->4406 4405 24f0439 VirtualFree 4409 24f04be LoadLibraryA 4405->4409 4406->4405 4408 24f08c7 4409->4408 4411 24f0223 4410->4411 4412 24f0d90 4411->4412 4413 24f0dad 4412->4413 4414 24f0dbb GetPEB 4413->4414 4415 24f0238 VirtualAlloc 4413->4415 4414->4415 4415->4403 4551 4015f4 4552 4015fa 4551->4552 4553 40169c NtDuplicateObject 4552->4553 4562 4017b8 4552->4562 4554 4016b9 NtCreateSection 4553->4554 4553->4562 4555 401739 NtCreateSection 4554->4555 4556 4016df NtMapViewOfSection 4554->4556 4557 401765 4555->4557 4555->4562 4556->4555 4558 401702 NtMapViewOfSection 4556->4558 4559 40176f NtMapViewOfSection 4557->4559 4557->4562 4558->4555 4560 401720 4558->4560 4561 401796 NtMapViewOfSection 4559->4561 4559->4562 4560->4555 4561->4562 4563 4017f7 4564 401797 NtMapViewOfSection 4563->4564 4565 40180e 4563->4565 4566 4017b8 4564->4566 4492 401619 4493 4015ce 4492->4493 4494 40161f 4492->4494 4495 4017b8 4494->4495 4496 40169c NtDuplicateObject 4494->4496 4496->4495 4497 4016b9 NtCreateSection 4496->4497 4498 401739 NtCreateSection 4497->4498 4499 4016df NtMapViewOfSection 4497->4499 4498->4495 4500 401765 4498->4500 4499->4498 4501 401702 NtMapViewOfSection 4499->4501 4500->4495 4502 40176f NtMapViewOfSection 4500->4502 4501->4498 4503 401720 4501->4503 4502->4495 4504 401796 NtMapViewOfSection 4502->4504 4503->4498 4504->4495

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 004015E9 Relevance: 10.7, APIs: 7, Instructions: 205nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 85 4015e9-4015f2 86 401604 85->86 87 4015fa-401646 call 401268 85->87 86->87 97 401648 87->97 98 40164b-401650 87->98 97->98 100 401965-40196d 98->100 101 401656-401667 98->101 100->98 106 401972-4019ba call 401268 100->106 104 401963 101->104 105 40166d-401696 101->105 104->106 105->104 113 40169c-4016b3 NtDuplicateObject 105->113 113->104 115 4016b9-4016dd NtCreateSection 113->115 117 401739-40175f NtCreateSection 115->117 118 4016df-401700 NtMapViewOfSection 115->118 117->104 120 401765-401769 117->120 118->117 122 401702-40171e NtMapViewOfSection 118->122 120->104 124 40176f-401790 NtMapViewOfSection 120->124 122->117 125 401720-401736 122->125 124->104 127 401796-4017b2 NtMapViewOfSection 124->127 125->117 127->104 129 4017b8 call 4017bd 127->129
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: c403c01a180556a21b32c54d606707ce257114ba21ce773171317465317b1327
                                                                                                                                                                                                                          • Instruction ID: 81f6fda8427d1b43236a49491d64036918e053862e587f83ca4f6c41e111eef5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c403c01a180556a21b32c54d606707ce257114ba21ce773171317465317b1327
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC615EB0504245FBEB208F95CC89FAF7BB8EF85B04F14012AF912BA1E4D7759901DB69
                                                                                                                                                                                                                          Function 00401619 Relevance: 10.7, APIs: 7, Instructions: 179nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 132 401619-40161d 133 4015ce-4015e6 132->133 134 40161f-401646 call 401268 132->134 139 401648 134->139 140 40164b-401650 134->140 139->140 142 401965-40196d 140->142 143 401656-401667 140->143 142->140 148 401972-4019ba call 401268 142->148 146 401963 143->146 147 40166d-401696 143->147 146->148 147->146 155 40169c-4016b3 NtDuplicateObject 147->155 155->146 157 4016b9-4016dd NtCreateSection 155->157 159 401739-40175f NtCreateSection 157->159 160 4016df-401700 NtMapViewOfSection 157->160 159->146 162 401765-401769 159->162 160->159 164 401702-40171e NtMapViewOfSection 160->164 162->146 166 40176f-401790 NtMapViewOfSection 162->166 164->159 167 401720-401736 164->167 166->146 169 401796-4017b2 NtMapViewOfSection 166->169 167->159 169->146 171 4017b8 call 4017bd 169->171
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 3d4281f98edc4d5c9fab7c34e02c6c853fffeeebf89f5f13e04729d870c637b5
                                                                                                                                                                                                                          • Instruction ID: 34f674698f60fb638750c99b36bb87cf40fbeb55ae16eb5ab1a87acb7576c899
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d4281f98edc4d5c9fab7c34e02c6c853fffeeebf89f5f13e04729d870c637b5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A512AB1900245AFEB208F91CC88FEF7BB8FF85B14F104169F911BA2A5D7709905CB64
                                                                                                                                                                                                                          Function 00401603 Relevance: 10.7, APIs: 7, Instructions: 174nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 174 401603-401646 call 401268 186 401648 174->186 187 40164b-401650 174->187 186->187 189 401965-40196d 187->189 190 401656-401667 187->190 189->187 195 401972-4019ba call 401268 189->195 193 401963 190->193 194 40166d-401696 190->194 193->195 194->193 202 40169c-4016b3 NtDuplicateObject 194->202 202->193 204 4016b9-4016dd NtCreateSection 202->204 206 401739-40175f NtCreateSection 204->206 207 4016df-401700 NtMapViewOfSection 204->207 206->193 209 401765-401769 206->209 207->206 211 401702-40171e NtMapViewOfSection 207->211 209->193 213 40176f-401790 NtMapViewOfSection 209->213 211->206 214 401720-401736 211->214 213->193 216 401796-4017b2 NtMapViewOfSection 213->216 214->206 216->193 218 4017b8 call 4017bd 216->218
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 4186ed6ca559843089d86802de6bf93cc630300b35f8a7e227ae1c2dabc27439
                                                                                                                                                                                                                          • Instruction ID: 500dda8f23b5602c1307b1711735e417e9b6475dbe97846f9c47cbefd4493b2b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4186ed6ca559843089d86802de6bf93cc630300b35f8a7e227ae1c2dabc27439
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D510BB4900245BBEB208F91CC88FAF7BB8FF85B10F14016AF911BA2E5D7759945CB64
                                                                                                                                                                                                                          Function 004015F4 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 221 4015f4-401646 call 401268 232 401648 221->232 233 40164b-401650 221->233 232->233 235 401965-40196d 233->235 236 401656-401667 233->236 235->233 241 401972-4019ba call 401268 235->241 239 401963 236->239 240 40166d-401696 236->240 239->241 240->239 248 40169c-4016b3 NtDuplicateObject 240->248 248->239 250 4016b9-4016dd NtCreateSection 248->250 252 401739-40175f NtCreateSection 250->252 253 4016df-401700 NtMapViewOfSection 250->253 252->239 255 401765-401769 252->255 253->252 257 401702-40171e NtMapViewOfSection 253->257 255->239 259 40176f-401790 NtMapViewOfSection 255->259 257->252 260 401720-401736 257->260 259->239 262 401796-4017b2 NtMapViewOfSection 259->262 260->252 262->239 264 4017b8 call 4017bd 262->264
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: d8de2cd78c693d786da25ad92aa3590499b5e06c5f1034c6ee7cdd7a8a44e8d5
                                                                                                                                                                                                                          • Instruction ID: 8b638c4f7f3c0f26ddcfcec7b057d6f6967c7c5477f34391eb5885aa1730f63c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8de2cd78c693d786da25ad92aa3590499b5e06c5f1034c6ee7cdd7a8a44e8d5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA510BB4900245BBEB208F91CC88FAF7BB8FF85B10F14016AF911BA2E5D7759945CB64
                                                                                                                                                                                                                          Function 00401609 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 267 401609-401646 call 401268 275 401648 267->275 276 40164b-401650 267->276 275->276 278 401965-40196d 276->278 279 401656-401667 276->279 278->276 284 401972-4019ba call 401268 278->284 282 401963 279->282 283 40166d-401696 279->283 282->284 283->282 291 40169c-4016b3 NtDuplicateObject 283->291 291->282 293 4016b9-4016dd NtCreateSection 291->293 295 401739-40175f NtCreateSection 293->295 296 4016df-401700 NtMapViewOfSection 293->296 295->282 298 401765-401769 295->298 296->295 300 401702-40171e NtMapViewOfSection 296->300 298->282 302 40176f-401790 NtMapViewOfSection 298->302 300->295 303 401720-401736 300->303 302->282 305 401796-4017b2 NtMapViewOfSection 302->305 303->295 305->282 307 4017b8 call 4017bd 305->307
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 3459b8fafdf8a8df719c8fb692eff12af857f3ad78a1142d35235e32c4799eaf
                                                                                                                                                                                                                          • Instruction ID: 8a1e2b8333ad6a574571ef74a267b756117d0849135357e0b61be7edc131f59a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3459b8fafdf8a8df719c8fb692eff12af857f3ad78a1142d35235e32c4799eaf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C512AB4900245BBEB208F91CC88FAF7BB8FF85B10F100129F911BA2A5D7759945CB64
                                                                                                                                                                                                                          Function 00401632 Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 310 401632-401646 call 401268 314 401648 310->314 315 40164b-401650 310->315 314->315 317 401965-40196d 315->317 318 401656-401667 315->318 317->315 323 401972-4019ba call 401268 317->323 321 401963 318->321 322 40166d-401696 318->322 321->323 322->321 330 40169c-4016b3 NtDuplicateObject 322->330 330->321 332 4016b9-4016dd NtCreateSection 330->332 334 401739-40175f NtCreateSection 332->334 335 4016df-401700 NtMapViewOfSection 332->335 334->321 337 401765-401769 334->337 335->334 339 401702-40171e NtMapViewOfSection 335->339 337->321 341 40176f-401790 NtMapViewOfSection 337->341 339->334 342 401720-401736 339->342 341->321 344 401796-4017b2 NtMapViewOfSection 341->344 342->334 344->321 346 4017b8 call 4017bd 344->346
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 73eedc29cdf7be90d3b565f1e242fa5b34b97ee6546eaec91e452f80b0ccb5af
                                                                                                                                                                                                                          • Instruction ID: e56c67f9e8f5edeb92f1a0f588b2a2b834a4b3448f2afe8c32594d36a8ed9c60
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73eedc29cdf7be90d3b565f1e242fa5b34b97ee6546eaec91e452f80b0ccb5af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9151F8B5900249BFEB208F91CC88FDFBBB8FF85B14F100159BA11BA2A5D7709945CB24
                                                                                                                                                                                                                          Function 004030C5 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 349 4030c5-4030e9 350 40321c-403221 349->350 351 4030ef-403107 349->351 351->350 352 40310d-40311e 351->352 353 403120-403129 352->353 354 40312e-40313c 353->354 354->354 355 40313e-403145 354->355 356 403167-40316e 355->356 357 403147-403166 355->357 358 403190-403193 356->358 359 403170-40318f 356->359 357->356 360 403195-403198 358->360 361 40319c 358->361 359->358 360->361 362 40319a 360->362 361->353 363 40319e-4031a3 361->363 362->363 363->350 364 4031a5-4031a8 363->364 364->350 365 4031aa-403219 RtlCreateUserThread NtTerminateProcess 364->365 365->350
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1921587553-0
                                                                                                                                                                                                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                          • Instruction ID: 312986233a1ab2372f57b14058cfc035e9d9fe77e3ddd66eb4c0ae072f0c4bc6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB413631218E084FD768EF6CA84976277D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                          Function 025B49F2 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 366 25b49f2-25b4a0b 367 25b4a0d-25b4a0f 366->367 368 25b4a11 367->368 369 25b4a16-25b4a22 CreateToolhelp32Snapshot 367->369 368->369 370 25b4a32-25b4a3f Module32First 369->370 371 25b4a24-25b4a2a 369->371 372 25b4a48-25b4a50 370->372 373 25b4a41-25b4a42 call 25b46b1 370->373 371->370 377 25b4a2c-25b4a30 371->377 378 25b4a47 373->378 377->367 377->370 378->372
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 025B4A1A
                                                                                                                                                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 025B4A3A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 025B1000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_25b1000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3833638111-0
                                                                                                                                                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                          • Instruction ID: ff51bc355daaed38aff3025370ec17f14f34f22b59a57a1fc5e52c36da3110d1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06F0F6365003106BD7313BF8A89CBEE7AEDBF4A624F100128E642D14C1DB70E8058A69
                                                                                                                                                                                                                          Function 00403222 Relevance: 3.0, APIs: 2, Instructions: 37nativethreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 379 403222-40322c 380 4031ee-403212 RtlCreateUserThread NtTerminateProcess 379->380 381 40322e-403230 379->381 382 403213-403219 380->382 381->382 383 403232-40323e 381->383 384 40321c-403221 382->384
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1921587553-0
                                                                                                                                                                                                                          • Opcode ID: 5d7857a4a428113aea85439a71c383134f8f036b8fb53e8d04ea105b502fc76d
                                                                                                                                                                                                                          • Instruction ID: 7a3a570a7e2b6e2e57b365b8c386a87b2fd15f69fabf49474fc32827e03357c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7857a4a428113aea85439a71c383134f8f036b8fb53e8d04ea105b502fc76d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8E09B3191494909E224E6A964423E4BB80F789236F6411EBD565D12C1E55F879782C6
                                                                                                                                                                                                                          Function 004017F7 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 388 4017f7-40180c 389 401797-4017b2 NtMapViewOfSection 388->389 390 40180e-401810 388->390 391 401963-4019ba call 401268 389->391 392 4017b8 call 4017bd 389->392
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: SectionView
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1323581903-0
                                                                                                                                                                                                                          • Opcode ID: 85651f3789586eff84ea568efb8665d13f3d48c2f286855f18274e3928cd8560
                                                                                                                                                                                                                          • Instruction ID: d3ccb124cda5ba7a4bea3d036a5926c00f28a27dd7edc6978ea291a301fd4f8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85651f3789586eff84ea568efb8665d13f3d48c2f286855f18274e3928cd8560
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EE02232504180AFEB248F70C88AEAA7FB0FF61308708026CE09054261D3364911CF58
                                                                                                                                                                                                                          Function 024F003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 24f003c-24f0047 1 24f004c-24f0263 call 24f0a3f call 24f0e0f call 24f0d90 VirtualAlloc 0->1 2 24f0049 0->2 17 24f028b-24f0292 1->17 18 24f0265-24f0289 call 24f0a69 1->18 2->1 20 24f02a1-24f02b0 17->20 22 24f02ce-24f03c2 VirtualProtect call 24f0cce call 24f0ce7 18->22 20->22 23 24f02b2-24f02cc 20->23 29 24f03d1-24f03e0 22->29 23->20 30 24f0439-24f04b8 VirtualFree 29->30 31 24f03e2-24f0437 call 24f0ce7 29->31 33 24f04be-24f04cd 30->33 34 24f05f4-24f05fe 30->34 31->29 38 24f04d3-24f04dd 33->38 35 24f077f-24f0789 34->35 36 24f0604-24f060d 34->36 42 24f078b-24f07a3 35->42 43 24f07a6-24f07b0 35->43 36->35 39 24f0613-24f0637 36->39 38->34 41 24f04e3-24f0505 38->41 46 24f063e-24f0648 39->46 50 24f0517-24f0520 41->50 51 24f0507-24f0515 41->51 42->43 44 24f086e-24f08be LoadLibraryA 43->44 45 24f07b6-24f07cb 43->45 55 24f08c7-24f08f9 44->55 47 24f07d2-24f07d5 45->47 46->35 48 24f064e-24f065a 46->48 52 24f07d7-24f07e0 47->52 53 24f0824-24f0833 47->53 48->35 54 24f0660-24f066a 48->54 56 24f0526-24f0547 50->56 51->56 57 24f07e4-24f0822 52->57 58 24f07e2 52->58 60 24f0839-24f083c 53->60 59 24f067a-24f0689 54->59 61 24f08fb-24f0901 55->61 62 24f0902-24f091d 55->62 63 24f054d-24f0550 56->63 57->47 58->53 64 24f068f-24f06b2 59->64 65 24f0750-24f077a 59->65 60->44 66 24f083e-24f0847 60->66 61->62 68 24f0556-24f056b 63->68 69 24f05e0-24f05ef 63->69 70 24f06ef-24f06fc 64->70 71 24f06b4-24f06ed 64->71 65->46 72 24f084b-24f086c 66->72 73 24f0849 66->73 74 24f056f-24f057a 68->74 75 24f056d 68->75 69->38 76 24f06fe-24f0748 70->76 77 24f074b 70->77 71->70 72->60 73->44 78 24f057c-24f0599 74->78 79 24f059b-24f05bb 74->79 75->69 76->77 77->59 84 24f05bd-24f05db 78->84 79->84 84->63
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 024F024D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_24f0000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID: cess$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                          • Instruction ID: fbf06393b412c87a3d50d88f0dbf1f48102c0f1d04f45ddb18649da5986a0ba6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E526D74A01229DFDBA4CF58C984BADBBB1BF49304F1480DAE54DA7356DB30AA85CF14
                                                                                                                                                                                                                          Function 024F0E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 385 24f0e0f-24f0e24 SetErrorMode * 2 386 24f0e2b-24f0e2c 385->386 387 24f0e26 385->387 387->386
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,024F0223,?,?), ref: 024F0E19
                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,024F0223,?,?), ref: 024F0E1E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_24f0000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorMode
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2340568224-0
                                                                                                                                                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                          • Instruction ID: a1355340812a76edfb87e8f37077e87cd166259ba3829630d5b4c7a92252a5d3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52D01231545128B7D7402A94DC09BCE7B1CDF45B66F008011FB0DD9181C770954046E5
                                                                                                                                                                                                                          Function 004019BD Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 451 4019bd-4019e0 455 4019e6-4019e9 451->455 456 4019ed 451->456 457 4019f0-401a23 call 401268 Sleep call 4014e8 455->457 456->455 456->457 465 401a32-401a38 457->465 466 401a25-401a2d call 4015e9 457->466 469 401a4e 465->469 470 401a3f-401a4a 465->470 466->465 469->470 471 401a51-401a80 call 401268 469->471 470->471
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 002abf4147cc44dd106f2b9821ac185759d600f3530b55a8e676946b78b131f3
                                                                                                                                                                                                                          • Instruction ID: e2974f241766d04c7081462d4ca2abe6b5e4a304a4234f5a91902124bd20d52f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 002abf4147cc44dd106f2b9821ac185759d600f3530b55a8e676946b78b131f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC118EB134D204EBEB00AAD48D82E6B3658AB01754F30817BB607791F0D57D9A13FB6B
                                                                                                                                                                                                                          Function 004019C8 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 480 4019c8-4019cb 481 4019cc-4019df 480->481 481->481 482 4019e1-4019e5 481->482 483 401a51-401a80 call 401268 482->483 484 4019e7-401a23 call 401268 Sleep call 4014e8 482->484 502 401a32-401a38 484->502 503 401a25-401a2d call 4015e9 484->503 506 401a4e 502->506 507 401a3f-401a4a 502->507 503->502 506->483 506->507 507->483
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 2344a0ec476235cd0ca625371c038d14233a4536a073d2e832153e82ec7f32c1
                                                                                                                                                                                                                          • Instruction ID: 9a362fc77340605c6e6f4b0bc9a5ecd872e53382ec3836953d58f0e25d3c226f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2344a0ec476235cd0ca625371c038d14233a4536a073d2e832153e82ec7f32c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1311917670D241EBDB019AA08C81AAA37649F41300F2482BBF553791F1C53DDA13EB2B
                                                                                                                                                                                                                          Function 004019EC Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 2d2a83572eca032da882ada7310456c8301e4701373321586ea13456b050a144
                                                                                                                                                                                                                          • Instruction ID: c75f0512fb6ac4c74365e36f38d693f082cd7c070fee16f1fd5a87275f204c49
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d2a83572eca032da882ada7310456c8301e4701373321586ea13456b050a144
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1201717134E105EBDB009AD08D41A6A32199B45700F20817BB607781F1D67D8A12BB2B
                                                                                                                                                                                                                          Function 025B46B1 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 025B4702
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 025B1000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_25b1000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                          • Instruction ID: 77ec6f6ce5457ade0f59774b8eb06876dad3e0f6320a3c366664fbb038bb9c6b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 47112B79A00208EFDB01DF98C985E98BBF5AF08350F058094F9489B362D371EA50DF84
                                                                                                                                                                                                                          Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 9a88e1a388e7f99f6910d9958252f34bb3826b2cbe02ae65f90951c14fd9a552
                                                                                                                                                                                                                          • Instruction ID: 0011880760dd260d211533c0e83e0a01d9c02e15723a0a2af455ba8ff62ae6bc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a88e1a388e7f99f6910d9958252f34bb3826b2cbe02ae65f90951c14fd9a552
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0501623170A205EBDB01ABE49D81EAA37249F05314F204177F503B91F1D67DDA12AF2B

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 024F092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_24f0000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: .$GetProcAddress.$l
                                                                                                                                                                                                                          • API String ID: 0-2784972518
                                                                                                                                                                                                                          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                          • Instruction ID: 8cc2ddee45e4730f41419645bc1fe682aa102da875142fd5a7aad30607f3018e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41318AB6900609CFEB10CF99C880AAEBBF9FF88324F14504AD941A7315D771EA45CFA4
                                                                                                                                                                                                                          Function 004033A5 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a11b8886bc5a55e849dc168c8d66a6580bbcc78fabc53793da1861fc1c4968ee
                                                                                                                                                                                                                          • Instruction ID: 99c089e88d752ae15f559b7cde6d10c402be0283320b8487bac010586060de21
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a11b8886bc5a55e849dc168c8d66a6580bbcc78fabc53793da1861fc1c4968ee
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D31585281D3C09FD3230F6058A5A667F6C5613306B2A50FBC442BE1E3DA7D9B0AA35F
                                                                                                                                                                                                                          Function 004033F5 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 0e18d58ef7e6616fddb39b591598bb7d969d3885357e8c02b9f80a7a807497c8
                                                                                                                                                                                                                          • Instruction ID: 6da59bd9ec2d75c3407da3a441f7425016dcea827cdc246f40788caf55ae57aa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0e18d58ef7e6616fddb39b591598bb7d969d3885357e8c02b9f80a7a807497c8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A113D6291C681CBD7174F1158E8A367F2C5602307B2640BBC902B91E2DF7D5B06634F
                                                                                                                                                                                                                          Function 00403385 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c7e4b5894b2c6eecd6f073f6f8a263570923473a922455e0a074f2af0b9407f9
                                                                                                                                                                                                                          • Instruction ID: 3664ed7273788c7049171d09a9420e0c20c723c297bc8062d4273d8a0c982441
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7e4b5894b2c6eecd6f073f6f8a263570923473a922455e0a074f2af0b9407f9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E11266291C681DBC6174F1158E8D367F2C550230772A40BBC902BE1E2EFBD9B06635F
                                                                                                                                                                                                                          Function 00403399 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9fca3ca164cecd6382c334f3ac805b374a46c3377f8cc86c62c4f23ba0aa73a6
                                                                                                                                                                                                                          • Instruction ID: 23eecc910c6b557d22748eda4846e4f8179e2721fff651a63b55ac8a5b0a48bd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fca3ca164cecd6382c334f3ac805b374a46c3377f8cc86c62c4f23ba0aa73a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE117BA3D192C19FCB134F245C94A727F289603317B2940B7C442BE1E3DB799A05931F
                                                                                                                                                                                                                          Function 0040338F Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 159ab245548f765065f62b44fd7e1c4dd2635a3a006db3667d526041fef4a1c5
                                                                                                                                                                                                                          • Instruction ID: cc8bf470d196836ea5a1056713303afca826b2c8dc86ab51657535c19d42c99a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 159ab245548f765065f62b44fd7e1c4dd2635a3a006db3667d526041fef4a1c5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22110862A1C6819BC6174F1158A89367F2C650230772A44B7C902BA1E3EF7D9B06A35F
                                                                                                                                                                                                                          Function 025B42CF Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854648292.00000000025B1000.00000040.00000020.00020000.00000000.sdmp, Offset: 025B1000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_25b1000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                          • Instruction ID: 226868b026548e60c0ae38d1a188f8ca25ef3339b76c88a880d1195db10634e3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F118E72750100AFDB54DF59EC90EE673EAFF88220B2D8065ED04CB316E676E841CB64
                                                                                                                                                                                                                          Function 004033D2 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f81465c2e053d0df7625a4268410182b68f3757459cdd3492db1ba17ff45c6bf
                                                                                                                                                                                                                          • Instruction ID: cecadfa70a3b5cbcd7e93f6d8df52c98189fd8657a036c1cfd11edb2033b5d6e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f81465c2e053d0df7625a4268410182b68f3757459cdd3492db1ba17ff45c6bf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E012663E096818BCB234F2458A89767F286603317B1A40B7C441BE1E3EB788B05934F
                                                                                                                                                                                                                          Function 004033D9 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 29c611fd808a40f9dff1667aef221487ba70163d36ddfac642116bca70176d5d
                                                                                                                                                                                                                          • Instruction ID: fc70c4b823dace7e3ef632697d60387faff523b36fff4b48334137601d29e84b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29c611fd808a40f9dff1667aef221487ba70163d36ddfac642116bca70176d5d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F012463E096C14FCB235F244868A76BF286903216B1A80F7C001BF1F3EB798E05924E
                                                                                                                                                                                                                          Function 004033DF Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1853556724.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_400000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 41e80c51545b8c056cfba435e638bb1a0d6880000a956852ad301e59cb8a1bc8
                                                                                                                                                                                                                          • Instruction ID: 44cc76dee77400e2aad71495faf7c9ac1cddaeadd86670ba27cad0a20c60bee6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41e80c51545b8c056cfba435e638bb1a0d6880000a956852ad301e59cb8a1bc8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D014763E496C14FCB234F254868A767F286903246B0A80F7C041BE1F3EB788E09934E
                                                                                                                                                                                                                          Function 024F0D90 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000000.00000002.1854500732.00000000024F0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024F0000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_0_2_24f0000_5GOuTtZoQn.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                          • Instruction ID: a1c71ae27c6bec535a0940fb186207137ad1d37a2fc915d52da6caf67d1247ae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D01F273A116008FDF61CF20C904BAB33E9FBC6206F0550A6DA0A9738AE370A8418B80

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:5.3%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:39.2%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:125
                                                                                                                                                                                                                          Total number of Limit Nodes:2
                                                                                                                                                                                                                          execution_graph 4416 403222 4417 4031ee RtlCreateUserThread NtTerminateProcess 4416->4417 4418 403213 4416->4418 4417->4418 4539 402f23 4541 402f44 4539->4541 4540 4019bd 8 API calls 4542 40300b 4540->4542 4541->4540 4541->4542 4419 402f64 4421 402f5b 4419->4421 4422 40300b 4421->4422 4423 4019bd 4421->4423 4424 4019ce 4423->4424 4425 401a06 Sleep 4424->4425 4426 401a21 4425->4426 4428 401a32 4426->4428 4429 4015e9 4426->4429 4428->4422 4430 4015fa 4429->4430 4431 40169c NtDuplicateObject 4430->4431 4440 4017b8 4430->4440 4432 4016b9 NtCreateSection 4431->4432 4431->4440 4433 401739 NtCreateSection 4432->4433 4434 4016df NtMapViewOfSection 4432->4434 4435 401765 4433->4435 4433->4440 4434->4433 4436 401702 NtMapViewOfSection 4434->4436 4437 40176f NtMapViewOfSection 4435->4437 4435->4440 4436->4433 4438 401720 4436->4438 4439 401796 NtMapViewOfSection 4437->4439 4437->4440 4438->4433 4439->4440 4440->4428 4441 3f9003c 4442 3f90049 4441->4442 4454 3f90e0f SetErrorMode SetErrorMode 4442->4454 4447 3f90265 4448 3f902ce VirtualProtect 4447->4448 4450 3f9030b 4448->4450 4449 3f90439 VirtualFree 4453 3f904be LoadLibraryA 4449->4453 4450->4449 4452 3f908c7 4453->4452 4455 3f90223 4454->4455 4456 3f90d90 4455->4456 4457 3f90dad 4456->4457 4458 3f90dbb GetPEB 4457->4458 4459 3f90238 VirtualAlloc 4457->4459 4458->4459 4459->4447 4531 4030c5 4532 40321c 4531->4532 4533 4030ef 4531->4533 4533->4532 4534 4031aa RtlCreateUserThread NtTerminateProcess 4533->4534 4534->4532 4547 4019c8 4548 4019cc 4547->4548 4549 401a32 4548->4549 4550 401a06 Sleep 4548->4550 4551 401a21 4550->4551 4551->4549 4552 4015e9 7 API calls 4551->4552 4552->4549 4553 4019ec 4554 4019e6 4553->4554 4555 401a06 Sleep 4554->4555 4556 401a21 4555->4556 4557 4015e9 7 API calls 4556->4557 4558 401a32 4556->4558 4557->4558 4502 40300e 4503 402ff3 4502->4503 4505 40300b 4502->4505 4504 4019bd 8 API calls 4503->4504 4504->4505 4460 2473ea8 4463 2473eb2 4460->4463 4464 2473ec1 4463->4464 4467 2474652 4464->4467 4472 247466d 4467->4472 4468 2474676 CreateToolhelp32Snapshot 4469 2474692 Module32First 4468->4469 4468->4472 4470 24746a1 4469->4470 4471 2473eb1 4469->4471 4474 2474311 4470->4474 4472->4468 4472->4469 4475 247433c 4474->4475 4476 247434d VirtualAlloc 4475->4476 4477 2474385 4475->4477 4476->4477 4477->4477 4565 4015f4 4567 4015fa 4565->4567 4566 4017b8 4567->4566 4568 40169c NtDuplicateObject 4567->4568 4568->4566 4569 4016b9 NtCreateSection 4568->4569 4570 401739 NtCreateSection 4569->4570 4571 4016df NtMapViewOfSection 4569->4571 4570->4566 4572 401765 4570->4572 4571->4570 4573 401702 NtMapViewOfSection 4571->4573 4572->4566 4574 40176f NtMapViewOfSection 4572->4574 4573->4570 4575 401720 4573->4575 4574->4566 4576 401796 NtMapViewOfSection 4574->4576 4575->4570 4576->4566 4577 4017f7 4578 401797 NtMapViewOfSection 4577->4578 4579 40180e 4577->4579 4580 4017b8 4578->4580 4581 3f90001 4582 3f90005 4581->4582 4587 3f9092b GetPEB 4582->4587 4584 3f90030 4589 3f9003c 4584->4589 4588 3f90972 4587->4588 4588->4584 4590 3f90049 4589->4590 4591 3f90e0f 2 API calls 4590->4591 4592 3f90223 4591->4592 4593 3f90d90 GetPEB 4592->4593 4594 3f90238 VirtualAlloc 4593->4594 4595 3f90265 4594->4595 4596 3f902ce VirtualProtect 4595->4596 4598 3f9030b 4596->4598 4597 3f90439 VirtualFree 4601 3f904be LoadLibraryA 4597->4601 4598->4597 4600 3f908c7 4601->4600 4506 401619 4507 4015ce 4506->4507 4508 40161f 4506->4508 4509 40169c NtDuplicateObject 4508->4509 4517 4017b8 4508->4517 4510 4016b9 NtCreateSection 4509->4510 4509->4517 4511 401739 NtCreateSection 4510->4511 4512 4016df NtMapViewOfSection 4510->4512 4513 401765 4511->4513 4511->4517 4512->4511 4514 401702 NtMapViewOfSection 4512->4514 4515 40176f NtMapViewOfSection 4513->4515 4513->4517 4514->4511 4518 401720 4514->4518 4516 401796 NtMapViewOfSection 4515->4516 4515->4517 4516->4517 4518->4511 4602 3f90005 4603 3f9092b GetPEB 4602->4603 4604 3f90030 4603->4604 4605 3f9003c 7 API calls 4604->4605 4606 3f90038 4605->4606

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 004015E9 Relevance: 10.7, APIs: 7, Instructions: 205nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 85 4015e9-4015f2 86 401604 85->86 87 4015fa-401646 call 401268 85->87 86->87 97 401648 87->97 98 40164b-401650 87->98 97->98 100 401965-40196d 98->100 101 401656-401667 98->101 100->98 106 401972-4019ba call 401268 100->106 104 401963 101->104 105 40166d-401696 101->105 104->106 105->104 113 40169c-4016b3 NtDuplicateObject 105->113 113->104 116 4016b9-4016dd NtCreateSection 113->116 118 401739-40175f NtCreateSection 116->118 119 4016df-401700 NtMapViewOfSection 116->119 118->104 120 401765-401769 118->120 119->118 121 401702-40171e NtMapViewOfSection 119->121 120->104 123 40176f-401790 NtMapViewOfSection 120->123 121->118 125 401720-401736 121->125 123->104 126 401796-4017b2 NtMapViewOfSection 123->126 125->118 126->104 128 4017b8 call 4017bd 126->128
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: c403c01a180556a21b32c54d606707ce257114ba21ce773171317465317b1327
                                                                                                                                                                                                                          • Instruction ID: 81f6fda8427d1b43236a49491d64036918e053862e587f83ca4f6c41e111eef5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c403c01a180556a21b32c54d606707ce257114ba21ce773171317465317b1327
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC615EB0504245FBEB208F95CC89FAF7BB8EF85B04F14012AF912BA1E4D7759901DB69
                                                                                                                                                                                                                          Function 00401619 Relevance: 10.7, APIs: 7, Instructions: 179nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 132 401619-40161d 133 4015ce-4015e6 132->133 134 40161f-401646 call 401268 132->134 139 401648 134->139 140 40164b-401650 134->140 139->140 142 401965-40196d 140->142 143 401656-401667 140->143 142->140 148 401972-4019ba call 401268 142->148 146 401963 143->146 147 40166d-401696 143->147 146->148 147->146 155 40169c-4016b3 NtDuplicateObject 147->155 155->146 158 4016b9-4016dd NtCreateSection 155->158 160 401739-40175f NtCreateSection 158->160 161 4016df-401700 NtMapViewOfSection 158->161 160->146 162 401765-401769 160->162 161->160 163 401702-40171e NtMapViewOfSection 161->163 162->146 165 40176f-401790 NtMapViewOfSection 162->165 163->160 167 401720-401736 163->167 165->146 168 401796-4017b2 NtMapViewOfSection 165->168 167->160 168->146 170 4017b8 call 4017bd 168->170
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 3d4281f98edc4d5c9fab7c34e02c6c853fffeeebf89f5f13e04729d870c637b5
                                                                                                                                                                                                                          • Instruction ID: 34f674698f60fb638750c99b36bb87cf40fbeb55ae16eb5ab1a87acb7576c899
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3d4281f98edc4d5c9fab7c34e02c6c853fffeeebf89f5f13e04729d870c637b5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5A512AB1900245AFEB208F91CC88FEF7BB8FF85B14F104169F911BA2A5D7709905CB64
                                                                                                                                                                                                                          Function 00401603 Relevance: 10.7, APIs: 7, Instructions: 174nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 174 401603-401646 call 401268 186 401648 174->186 187 40164b-401650 174->187 186->187 189 401965-40196d 187->189 190 401656-401667 187->190 189->187 195 401972-4019ba call 401268 189->195 193 401963 190->193 194 40166d-401696 190->194 193->195 194->193 202 40169c-4016b3 NtDuplicateObject 194->202 202->193 205 4016b9-4016dd NtCreateSection 202->205 207 401739-40175f NtCreateSection 205->207 208 4016df-401700 NtMapViewOfSection 205->208 207->193 209 401765-401769 207->209 208->207 210 401702-40171e NtMapViewOfSection 208->210 209->193 212 40176f-401790 NtMapViewOfSection 209->212 210->207 214 401720-401736 210->214 212->193 215 401796-4017b2 NtMapViewOfSection 212->215 214->207 215->193 217 4017b8 call 4017bd 215->217
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 4186ed6ca559843089d86802de6bf93cc630300b35f8a7e227ae1c2dabc27439
                                                                                                                                                                                                                          • Instruction ID: 500dda8f23b5602c1307b1711735e417e9b6475dbe97846f9c47cbefd4493b2b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4186ed6ca559843089d86802de6bf93cc630300b35f8a7e227ae1c2dabc27439
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5D510BB4900245BBEB208F91CC88FAF7BB8FF85B10F14016AF911BA2E5D7759945CB64
                                                                                                                                                                                                                          Function 004015F4 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 221 4015f4-401646 call 401268 232 401648 221->232 233 40164b-401650 221->233 232->233 235 401965-40196d 233->235 236 401656-401667 233->236 235->233 241 401972-4019ba call 401268 235->241 239 401963 236->239 240 40166d-401696 236->240 239->241 240->239 248 40169c-4016b3 NtDuplicateObject 240->248 248->239 251 4016b9-4016dd NtCreateSection 248->251 253 401739-40175f NtCreateSection 251->253 254 4016df-401700 NtMapViewOfSection 251->254 253->239 255 401765-401769 253->255 254->253 256 401702-40171e NtMapViewOfSection 254->256 255->239 258 40176f-401790 NtMapViewOfSection 255->258 256->253 260 401720-401736 256->260 258->239 261 401796-4017b2 NtMapViewOfSection 258->261 260->253 261->239 263 4017b8 call 4017bd 261->263
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: d8de2cd78c693d786da25ad92aa3590499b5e06c5f1034c6ee7cdd7a8a44e8d5
                                                                                                                                                                                                                          • Instruction ID: 8b638c4f7f3c0f26ddcfcec7b057d6f6967c7c5477f34391eb5885aa1730f63c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8de2cd78c693d786da25ad92aa3590499b5e06c5f1034c6ee7cdd7a8a44e8d5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA510BB4900245BBEB208F91CC88FAF7BB8FF85B10F14016AF911BA2E5D7759945CB64
                                                                                                                                                                                                                          Function 00401609 Relevance: 10.7, APIs: 7, Instructions: 170nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 267 401609-401646 call 401268 275 401648 267->275 276 40164b-401650 267->276 275->276 278 401965-40196d 276->278 279 401656-401667 276->279 278->276 284 401972-4019ba call 401268 278->284 282 401963 279->282 283 40166d-401696 279->283 282->284 283->282 291 40169c-4016b3 NtDuplicateObject 283->291 291->282 294 4016b9-4016dd NtCreateSection 291->294 296 401739-40175f NtCreateSection 294->296 297 4016df-401700 NtMapViewOfSection 294->297 296->282 298 401765-401769 296->298 297->296 299 401702-40171e NtMapViewOfSection 297->299 298->282 301 40176f-401790 NtMapViewOfSection 298->301 299->296 303 401720-401736 299->303 301->282 304 401796-4017b2 NtMapViewOfSection 301->304 303->296 304->282 306 4017b8 call 4017bd 304->306
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 3459b8fafdf8a8df719c8fb692eff12af857f3ad78a1142d35235e32c4799eaf
                                                                                                                                                                                                                          • Instruction ID: 8a1e2b8333ad6a574571ef74a267b756117d0849135357e0b61be7edc131f59a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3459b8fafdf8a8df719c8fb692eff12af857f3ad78a1142d35235e32c4799eaf
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C512AB4900245BBEB208F91CC88FAF7BB8FF85B10F100129F911BA2A5D7759945CB64
                                                                                                                                                                                                                          Function 00401632 Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 310 401632-401646 call 401268 314 401648 310->314 315 40164b-401650 310->315 314->315 317 401965-40196d 315->317 318 401656-401667 315->318 317->315 323 401972-4019ba call 401268 317->323 321 401963 318->321 322 40166d-401696 318->322 321->323 322->321 330 40169c-4016b3 NtDuplicateObject 322->330 330->321 333 4016b9-4016dd NtCreateSection 330->333 335 401739-40175f NtCreateSection 333->335 336 4016df-401700 NtMapViewOfSection 333->336 335->321 337 401765-401769 335->337 336->335 338 401702-40171e NtMapViewOfSection 336->338 337->321 340 40176f-401790 NtMapViewOfSection 337->340 338->335 342 401720-401736 338->342 340->321 343 401796-4017b2 NtMapViewOfSection 340->343 342->335 343->321 345 4017b8 call 4017bd 343->345
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016FB
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401719
                                                                                                                                                                                                                          • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 0040175A
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 0040178B
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Section$View$Create$DuplicateObject
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1546783058-0
                                                                                                                                                                                                                          • Opcode ID: 73eedc29cdf7be90d3b565f1e242fa5b34b97ee6546eaec91e452f80b0ccb5af
                                                                                                                                                                                                                          • Instruction ID: e56c67f9e8f5edeb92f1a0f588b2a2b834a4b3448f2afe8c32594d36a8ed9c60
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 73eedc29cdf7be90d3b565f1e242fa5b34b97ee6546eaec91e452f80b0ccb5af
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9151F8B5900249BFEB208F91CC88FDFBBB8FF85B14F100159BA11BA2A5D7709945CB24
                                                                                                                                                                                                                          Function 004030C5 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 349 4030c5-4030e9 350 40321c-403221 349->350 351 4030ef-403107 349->351 351->350 352 40310d-40311e 351->352 353 403120-403129 352->353 354 40312e-40313c 353->354 354->354 355 40313e-403145 354->355 356 403167-40316e 355->356 357 403147-403166 355->357 358 403190-403193 356->358 359 403170-40318f 356->359 357->356 360 403195-403198 358->360 361 40319c 358->361 359->358 360->361 362 40319a 360->362 361->353 363 40319e-4031a3 361->363 362->363 363->350 364 4031a5-4031a8 363->364 364->350 365 4031aa-403219 RtlCreateUserThread NtTerminateProcess 364->365 365->350
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1921587553-0
                                                                                                                                                                                                                          • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                          • Instruction ID: 312986233a1ab2372f57b14058cfc035e9d9fe77e3ddd66eb4c0ae072f0c4bc6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EB413631218E084FD768EF6CA84976277D5F798311F6643AAE809D7389EA34DC1183C5
                                                                                                                                                                                                                          Function 00403222 Relevance: 3.0, APIs: 2, Instructions: 37nativethreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 379 403222-40322c 380 4031ee-403212 RtlCreateUserThread NtTerminateProcess 379->380 381 40322e-403230 379->381 382 403213-403219 380->382 381->382 383 403232-40323e 381->383 384 40321c-403221 382->384
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateProcessTerminateThreadUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1921587553-0
                                                                                                                                                                                                                          • Opcode ID: 5d7857a4a428113aea85439a71c383134f8f036b8fb53e8d04ea105b502fc76d
                                                                                                                                                                                                                          • Instruction ID: 7a3a570a7e2b6e2e57b365b8c386a87b2fd15f69fabf49474fc32827e03357c3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d7857a4a428113aea85439a71c383134f8f036b8fb53e8d04ea105b502fc76d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8E09B3191494909E224E6A964423E4BB80F789236F6411EBD565D12C1E55F879782C6
                                                                                                                                                                                                                          Function 004017F7 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 388 4017f7-40180c 389 401797-4017b2 NtMapViewOfSection 388->389 390 40180e-401810 388->390 391 401963-4019ba call 401268 389->391 392 4017b8 call 4017bd 389->392
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004017AD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: SectionView
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1323581903-0
                                                                                                                                                                                                                          • Opcode ID: 85651f3789586eff84ea568efb8665d13f3d48c2f286855f18274e3928cd8560
                                                                                                                                                                                                                          • Instruction ID: d3ccb124cda5ba7a4bea3d036a5926c00f28a27dd7edc6978ea291a301fd4f8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85651f3789586eff84ea568efb8665d13f3d48c2f286855f18274e3928cd8560
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EE02232504180AFEB248F70C88AEAA7FB0FF61308708026CE09054261D3364911CF58
                                                                                                                                                                                                                          Function 03F9003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 3f9003c-3f90047 1 3f90049 0->1 2 3f9004c-3f90263 call 3f90a3f call 3f90e0f call 3f90d90 VirtualAlloc 0->2 1->2 17 3f9028b-3f90292 2->17 18 3f90265-3f90289 call 3f90a69 2->18 20 3f902a1-3f902b0 17->20 22 3f902ce-3f903c2 VirtualProtect call 3f90cce call 3f90ce7 18->22 20->22 23 3f902b2-3f902cc 20->23 29 3f903d1-3f903e0 22->29 23->20 30 3f90439-3f904b8 VirtualFree 29->30 31 3f903e2-3f90437 call 3f90ce7 29->31 33 3f904be-3f904cd 30->33 34 3f905f4-3f905fe 30->34 31->29 36 3f904d3-3f904dd 33->36 37 3f9077f-3f90789 34->37 38 3f90604-3f9060d 34->38 36->34 40 3f904e3-3f90505 36->40 41 3f9078b-3f907a3 37->41 42 3f907a6-3f907b0 37->42 38->37 43 3f90613-3f90637 38->43 51 3f90517-3f90520 40->51 52 3f90507-3f90515 40->52 41->42 44 3f9086e-3f908be LoadLibraryA 42->44 45 3f907b6-3f907cb 42->45 46 3f9063e-3f90648 43->46 50 3f908c7-3f908f9 44->50 48 3f907d2-3f907d5 45->48 46->37 49 3f9064e-3f9065a 46->49 53 3f90824-3f90833 48->53 54 3f907d7-3f907e0 48->54 49->37 55 3f90660-3f9066a 49->55 58 3f908fb-3f90901 50->58 59 3f90902-3f9091d 50->59 60 3f90526-3f90547 51->60 52->60 57 3f90839-3f9083c 53->57 61 3f907e2 54->61 62 3f907e4-3f90822 54->62 56 3f9067a-3f90689 55->56 63 3f9068f-3f906b2 56->63 64 3f90750-3f9077a 56->64 57->44 65 3f9083e-3f90847 57->65 58->59 66 3f9054d-3f90550 60->66 61->53 62->48 67 3f906ef-3f906fc 63->67 68 3f906b4-3f906ed 63->68 64->46 69 3f90849 65->69 70 3f9084b-3f9086c 65->70 72 3f905e0-3f905ef 66->72 73 3f90556-3f9056b 66->73 76 3f9074b 67->76 77 3f906fe-3f90748 67->77 68->67 69->44 70->57 72->36 74 3f9056d 73->74 75 3f9056f-3f9057a 73->75 74->72 78 3f9059b-3f905bb 75->78 79 3f9057c-3f90599 75->79 76->56 77->76 84 3f905bd-3f905db 78->84 79->84 84->66
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 03F9024D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F90000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_3f90000_wdugfia.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID: cess$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 4275171209-1230238691
                                                                                                                                                                                                                          • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                          • Instruction ID: 157d6c88b9430ebcbfaced4860059fb82ef658043e6ea51b5aeb2a03448f4ab5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1526B75A01229DFEB64CF58C984BACBBB1BF09314F1480DAE54DAB351DB30AA85CF15
                                                                                                                                                                                                                          Function 02474652 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 366 2474652-247466b 367 247466d-247466f 366->367 368 2474676-2474682 CreateToolhelp32Snapshot 367->368 369 2474671 367->369 370 2474684-247468a 368->370 371 2474692-247469f Module32First 368->371 369->368 370->371 376 247468c-2474690 370->376 372 24746a1-24746a2 call 2474311 371->372 373 24746a8-24746b0 371->373 377 24746a7 372->377 376->367 376->371 377->373
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0247467A
                                                                                                                                                                                                                          • Module32First.KERNEL32(00000000,00000224), ref: 0247469A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2153686108.0000000002471000.00000040.00000020.00020000.00000000.sdmp, Offset: 02471000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_2471000_wdugfia.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3833638111-0
                                                                                                                                                                                                                          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                          • Instruction ID: fa540a0419e11516bb0450cc3bdf124d4c3e1cea69d3926909240f517859ed91
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4F062356007106BD7202AF5AC8CBBF76FDAF49B25F10052EE666925C0DBB4E8454A61
                                                                                                                                                                                                                          Function 03F90E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 385 3f90e0f-3f90e24 SetErrorMode * 2 386 3f90e2b-3f90e2c 385->386 387 3f90e26 385->387 387->386
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00000400,?,?,03F90223,?,?), ref: 03F90E19
                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00000000,?,?,03F90223,?,?), ref: 03F90E1E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2153839501.0000000003F90000.00000040.00001000.00020000.00000000.sdmp, Offset: 03F90000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_3f90000_wdugfia.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorMode
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2340568224-0
                                                                                                                                                                                                                          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                          • Instruction ID: bcffb5b826030e6476582b58e98d393d8e51696329f6821d8c0e83e3e62363f5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CD0123554512977EB003A94DC09BCDBB1CDF05B62F048011FB0DD9080CB74954046E5
                                                                                                                                                                                                                          Function 004019BD Relevance: 1.3, APIs: 1, Instructions: 63sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 451 4019bd-4019e0 455 4019e6-4019e9 451->455 456 4019ed 451->456 457 4019f0-401a23 call 401268 Sleep call 4014e8 455->457 456->455 456->457 465 401a32-401a38 457->465 466 401a25-401a2d call 4015e9 457->466 469 401a4e 465->469 470 401a3f-401a4a 465->470 466->465 469->470 471 401a51-401a80 call 401268 469->471 470->471
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 002abf4147cc44dd106f2b9821ac185759d600f3530b55a8e676946b78b131f3
                                                                                                                                                                                                                          • Instruction ID: e2974f241766d04c7081462d4ca2abe6b5e4a304a4234f5a91902124bd20d52f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 002abf4147cc44dd106f2b9821ac185759d600f3530b55a8e676946b78b131f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC118EB134D204EBEB00AAD48D82E6B3658AB01754F30817BB607791F0D57D9A13FB6B
                                                                                                                                                                                                                          Function 004019C8 Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 480 4019c8-4019cb 481 4019cc-4019df 480->481 481->481 482 4019e1-4019e5 481->482 483 401a51-401a80 call 401268 482->483 484 4019e7-401a23 call 401268 Sleep call 4014e8 482->484 502 401a32-401a38 484->502 503 401a25-401a2d call 4015e9 484->503 506 401a4e 502->506 507 401a3f-401a4a 502->507 503->502 506->483 506->507 507->483
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3472027048-0
                                                                                                                                                                                                                          • Opcode ID: 2344a0ec476235cd0ca625371c038d14233a4536a073d2e832153e82ec7f32c1
                                                                                                                                                                                                                          • Instruction ID: 9a362fc77340605c6e6f4b0bc9a5ecd872e53382ec3836953d58f0e25d3c226f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2344a0ec476235cd0ca625371c038d14233a4536a073d2e832153e82ec7f32c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1311917670D241EBDB019AA08C81AAA37649F41300F2482BBF553791F1C53DDA13EB2B
                                                                                                                                                                                                                          Function 004019EC Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 2d2a83572eca032da882ada7310456c8301e4701373321586ea13456b050a144
                                                                                                                                                                                                                          • Instruction ID: c75f0512fb6ac4c74365e36f38d693f082cd7c070fee16f1fd5a87275f204c49
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d2a83572eca032da882ada7310456c8301e4701373321586ea13456b050a144
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1201717134E105EBDB009AD08D41A6A32199B45700F20817BB607781F1D67D8A12BB2B
                                                                                                                                                                                                                          Function 02474311 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02474362
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2153686108.0000000002471000.00000040.00000020.00020000.00000000.sdmp, Offset: 02471000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_2471000_wdugfia.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                          • Instruction ID: 7fa0e6ab7176576259ab9646ada4e2495e6a17cb9b41f6b444fd54112206005e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34113C79A00208FFDB01DF98C985E99BBF5AF08751F058095F9589B361D371EA50DF80
                                                                                                                                                                                                                          Function 004019F2 Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Sleep.KERNELBASE(00001388), ref: 00401A0E
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004016AB
                                                                                                                                                                                                                            • Part of subcall function 004015E9: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 004016D8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000005.00000002.2152719871.0000000000400000.00000040.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_400000_wdugfia.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDuplicateObjectSectionSleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4152845823-0
                                                                                                                                                                                                                          • Opcode ID: 9a88e1a388e7f99f6910d9958252f34bb3826b2cbe02ae65f90951c14fd9a552
                                                                                                                                                                                                                          • Instruction ID: 0011880760dd260d211533c0e83e0a01d9c02e15723a0a2af455ba8ff62ae6bc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a88e1a388e7f99f6910d9958252f34bb3826b2cbe02ae65f90951c14fd9a552
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0501623170A205EBDB01ABE49D81EAA37249F05314F204177F503B91F1D67DDA12AF2B

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:1.2%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:21.8%
                                                                                                                                                                                                                          Signature Coverage:7.1%
                                                                                                                                                                                                                          Total number of Nodes:1543
                                                                                                                                                                                                                          Total number of Limit Nodes:79
                                                                                                                                                                                                                          execution_graph 144932 b5fca5 144936 b5fcb9 ___scrt_release_startup_lock __purecall 144932->144936 144933 b5fcbf 144934 b5fd40 144954 b605aa 144934->144954 144936->144933 144936->144934 144963 b6762e 39 API calls 4 library calls 144936->144963 144940 b5fd4e 144941 b5fd5b 144940->144941 144964 b605e0 GetModuleHandleW 144941->144964 144943 b5fd62 144944 b5fd66 144943->144944 144945 b5fdd0 144943->144945 144946 b5fd6f 144944->144946 144965 b6816c 21 API calls __purecall 144944->144965 144967 b681b7 21 API calls __purecall 144945->144967 144966 b5ffd0 75 API calls ___scrt_uninitialize_crt 144946->144966 144950 b5fdd6 144968 b6817b 21 API calls __purecall 144950->144968 144951 b5fd77 144951->144933 144953 b5fdde 144969 b60e90 144954->144969 144956 b605bd GetStartupInfoW 144957 b5fd46 144956->144957 144958 b67e0a 144957->144958 144970 b72f03 144958->144970 144960 b67e13 144962 b67e4d 144960->144962 144976 b731b6 39 API calls 144960->144976 144962->144940 144963->144934 144964->144943 144965->144946 144966->144951 144967->144950 144968->144953 144969->144956 144971 b72f0c 144970->144971 144972 b72f3e 144970->144972 144977 b6a9ab 144971->144977 144972->144960 144976->144960 144978 b6a9b6 144977->144978 144981 b6a9bc 144977->144981 145028 b6e015 6 API calls std::_Locinfo::_Locinfo_dtor 144978->145028 144983 b6a9c2 144981->144983 145029 b6e054 6 API calls std::_Locinfo::_Locinfo_dtor 144981->145029 144982 b6a9d6 144982->144983 144984 b6a9da 144982->144984 144986 b6a9c7 144983->144986 145037 b67134 39 API calls __purecall 144983->145037 145030 b6db5d 14 API calls 2 library calls 144984->145030 145005 b72d0e 144986->145005 144989 b6a9e6 144990 b6aa03 144989->144990 144991 b6a9ee 144989->144991 145033 b6e054 6 API calls std::_Locinfo::_Locinfo_dtor 144990->145033 145031 b6e054 6 API calls std::_Locinfo::_Locinfo_dtor 144991->145031 144994 b6aa0f 144996 b6aa22 144994->144996 144997 b6aa13 144994->144997 144995 b6a9fa 145032 b6abdb 14 API calls __dosmaperr 144995->145032 145035 b6a71e 14 API calls __dosmaperr 144996->145035 145034 b6e054 6 API calls std::_Locinfo::_Locinfo_dtor 144997->145034 145001 b6aa00 145001->144983 145002 b6aa2d 145036 b6abdb 14 API calls __dosmaperr 145002->145036 145004 b6aa34 145004->144986 145038 b72e63 145005->145038 145012 b72d6a 145074 b6abdb 14 API calls __dosmaperr 145012->145074 145013 b72d78 145063 b72f61 145013->145063 145016 b72d51 145016->144972 145018 b72db0 145075 b653de 14 API calls __dosmaperr 145018->145075 145020 b72df7 145024 b72e40 145020->145024 145078 b72987 39 API calls 2 library calls 145020->145078 145021 b72db5 145076 b6abdb 14 API calls __dosmaperr 145021->145076 145023 b72dcb 145023->145020 145077 b6abdb 14 API calls __dosmaperr 145023->145077 145079 b6abdb 14 API calls __dosmaperr 145024->145079 145028->144981 145029->144982 145030->144989 145031->144995 145032->145001 145033->144994 145034->144995 145035->145002 145036->145004 145039 b72e6f __FrameHandler3::FrameUnwindToState 145038->145039 145040 b72e89 145039->145040 145080 b649ca EnterCriticalSection 145039->145080 145042 b72d38 145040->145042 145083 b67134 39 API calls __purecall 145040->145083 145049 b72a95 145042->145049 145043 b72ec5 145082 b72ee2 LeaveCriticalSection std::_Lockit::~_Lockit 145043->145082 145047 b72e99 145047->145043 145081 b6abdb 14 API calls __dosmaperr 145047->145081 145084 b67178 145049->145084 145051 b72aa7 145052 b72ab6 GetOEMCP 145051->145052 145053 b72ac8 145051->145053 145054 b72adf 145052->145054 145053->145054 145055 b72acd GetACP 145053->145055 145054->145016 145056 b6ac15 145054->145056 145055->145054 145057 b6ac53 145056->145057 145061 b6ac23 __dosmaperr 145056->145061 145095 b653de 14 API calls __dosmaperr 145057->145095 145059 b6ac3e RtlAllocateHeap 145060 b6ac51 145059->145060 145059->145061 145060->145012 145060->145013 145061->145057 145061->145059 145094 b67694 EnterCriticalSection LeaveCriticalSection codecvt 145061->145094 145064 b72a95 41 API calls 145063->145064 145065 b72f81 145064->145065 145066 b72fbe IsValidCodePage 145065->145066 145072 b73086 145065->145072 145073 b72fd9 __fread_nolock 145065->145073 145068 b72fd0 145066->145068 145066->145072 145070 b72ff9 GetCPInfo 145068->145070 145068->145073 145069 b72da5 145069->145018 145069->145023 145070->145072 145070->145073 145107 b6003d 145072->145107 145096 b72b69 145073->145096 145074->145016 145075->145021 145076->145016 145077->145020 145078->145024 145079->145016 145080->145047 145081->145043 145082->145040 145085 b67196 145084->145085 145091 b6a8f0 39 API calls 3 library calls 145085->145091 145087 b671b7 145092 b6ac63 39 API calls __Getctype 145087->145092 145089 b671cd 145093 b6acc1 39 API calls ctype 145089->145093 145091->145087 145092->145089 145094->145061 145095->145060 145097 b72b91 GetCPInfo 145096->145097 145106 b72c5a 145096->145106 145103 b72ba9 145097->145103 145097->145106 145098 b6003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 145100 b72d0c 145098->145100 145100->145072 145114 b6ece1 145103->145114 145105 b6efd1 44 API calls 145105->145106 145106->145098 145108 b60046 IsProcessorFeaturePresent 145107->145108 145109 b60045 145107->145109 145111 b6072d 145108->145111 145109->145069 145192 b606f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 145111->145192 145113 b60810 145113->145069 145115 b67178 ctype 39 API calls 145114->145115 145116 b6ed01 145115->145116 145134 b71e03 145116->145134 145118 b6edbd 145121 b6003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 145118->145121 145119 b6edb5 145137 b5faaa 14 API calls ___vcrt_freefls@4 145119->145137 145120 b6ed2e 145120->145118 145120->145119 145123 b6ac15 __fread_nolock 15 API calls 145120->145123 145125 b6ed53 __fread_nolock ctype 145120->145125 145124 b6ede0 145121->145124 145123->145125 145129 b6efd1 145124->145129 145125->145119 145126 b71e03 __fread_nolock MultiByteToWideChar 145125->145126 145127 b6ed9c 145126->145127 145127->145119 145128 b6eda3 GetStringTypeW 145127->145128 145128->145119 145130 b67178 ctype 39 API calls 145129->145130 145131 b6efe4 145130->145131 145140 b6ede2 145131->145140 145138 b71d6b 145134->145138 145137->145118 145139 b71d7c MultiByteToWideChar 145138->145139 145139->145120 145141 b6edfd ctype 145140->145141 145142 b71e03 __fread_nolock MultiByteToWideChar 145141->145142 145146 b6ee41 145142->145146 145143 b6efbc 145144 b6003d __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 145143->145144 145145 b6efcf 145144->145145 145145->145105 145146->145143 145147 b6ac15 __fread_nolock 15 API calls 145146->145147 145149 b6ee67 ctype 145146->145149 145160 b6ef0f 145146->145160 145147->145149 145150 b71e03 __fread_nolock MultiByteToWideChar 145149->145150 145149->145160 145151 b6eeb0 145150->145151 145151->145160 145168 b6e1d3 145151->145168 145154 b6eee6 145157 b6e1d3 7 API calls 145154->145157 145154->145160 145155 b6ef1e 145156 b6efa7 145155->145156 145158 b6ac15 __fread_nolock 15 API calls 145155->145158 145161 b6ef30 ctype 145155->145161 145179 b5faaa 14 API calls ___vcrt_freefls@4 145156->145179 145157->145160 145158->145161 145180 b5faaa 14 API calls ___vcrt_freefls@4 145160->145180 145161->145156 145162 b6e1d3 7 API calls 145161->145162 145163 b6ef73 145162->145163 145163->145156 145177 b71ebd WideCharToMultiByte _Fputc 145163->145177 145165 b6ef8d 145165->145156 145166 b6ef96 145165->145166 145178 b5faaa 14 API calls ___vcrt_freefls@4 145166->145178 145181 b6dd60 145168->145181 145171 b6e1e4 LCMapStringEx 145176 b6e22b 145171->145176 145172 b6e20b 145184 b6e230 LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary GetProcAddress 145172->145184 145175 b6e224 LCMapStringW 145175->145176 145176->145154 145176->145155 145176->145160 145177->145165 145178->145160 145179->145160 145180->145143 145185 b6de5f 145181->145185 145184->145175 145186 b6de8f 145185->145186 145190 b6dd76 145185->145190 145187 b6dd94 std::_Locinfo::_Locinfo_dtor LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 145186->145187 145186->145190 145188 b6dea3 145187->145188 145189 b6dea9 GetProcAddress 145188->145189 145188->145190 145189->145190 145191 b6deb9 std::_Locinfo::_Locinfo_dtor 145189->145191 145190->145171 145190->145172 145191->145190 145192->145113 145193 b0f3c4 145197 b0f3cd 145193->145197 145194 b0f698 std::runtime_error::runtime_error _strlen 145196 b0f6f6 InternetOpenUrlA 145194->145196 145195 b0f5c9 145205 b0f6a0 145195->145205 145206 b0f676 145195->145206 145198 b0f782 InternetReadFile 145196->145198 145199 b0f734 FreeLibrary 145196->145199 145197->145194 145197->145195 145220 b01d90 15 API calls 145197->145220 145221 b01de0 20 API calls 145197->145221 145200 b0f7b2 145198->145200 145201 b0f7bb FreeLibrary 145198->145201 145207 b0f75f 145199->145207 145200->145198 145200->145201 145216 b14c60 145200->145216 145214 b0f82a std::ios_base::failure::failure 145201->145214 145223 b64870 15 API calls 145205->145223 145222 b64870 15 API calls 145206->145222 145224 b04120 39 API calls task 145207->145224 145212 b0f77a 145225 b04120 39 API calls task 145214->145225 145217 b14ccd 145216->145217 145219 b14c80 std::ios_base::failure::failure task std::runtime_error::runtime_error 145216->145219 145217->145219 145226 b019b0 145217->145226 145219->145200 145220->145197 145221->145197 145222->145194 145223->145194 145224->145212 145225->145212 145227 b019d0 Concurrency::task_continuation_context::task_continuation_context 145226->145227 145229 b019dd Concurrency::cancellation_token_source::~cancellation_token_source Concurrency::task_continuation_context::task_continuation_context 145227->145229 145237 b13fc0 41 API calls std::_Xinvalid_argument 145227->145237 145234 b013d0 145229->145234 145231 b01a16 std::ios_base::failure::failure Concurrency::cancellation_token_source::~cancellation_token_source std::runtime_error::runtime_error 145233 b01a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 145231->145233 145238 b13410 39 API calls allocator 145231->145238 145233->145219 145239 b013b0 145234->145239 145236 b013f0 allocator std::runtime_error::runtime_error Concurrency::task_continuation_context::task_continuation_context 145236->145231 145237->145229 145238->145233 145242 b14bc0 145239->145242 145243 b14bd0 allocator 145242->145243 145246 b01370 145243->145246 145247 b01378 allocator 145246->145247 145248 b01396 145247->145248 145249 b01388 145247->145249 145250 b01391 145248->145250 145261 b13220 145248->145261 145253 b01460 145249->145253 145250->145236 145254 b01477 145253->145254 145255 b0147c 145253->145255 145264 b13d80 RaiseException stdext::threads::lock_error::lock_error std::ios_base::clear 145254->145264 145256 b13220 allocator 16 API calls 145255->145256 145258 b01485 145256->145258 145260 b014a0 145258->145260 145265 b6458f 39 API calls 2 library calls 145258->145265 145260->145250 145266 b5fb05 145261->145266 145264->145255 145269 b5fb0a 145266->145269 145268 b1322c 145268->145250 145269->145268 145271 b5fb26 codecvt 145269->145271 145276 b64a40 145269->145276 145283 b67694 EnterCriticalSection LeaveCriticalSection codecvt 145269->145283 145272 b60371 stdext::threads::lock_error::lock_error 145271->145272 145284 b6106c RaiseException 145271->145284 145285 b6106c RaiseException 145272->145285 145275 b6038e 145281 b6ac15 __dosmaperr 145276->145281 145277 b6ac53 145287 b653de 14 API calls __dosmaperr 145277->145287 145279 b6ac3e RtlAllocateHeap 145280 b6ac51 145279->145280 145279->145281 145280->145269 145281->145277 145281->145279 145286 b67694 EnterCriticalSection LeaveCriticalSection codecvt 145281->145286 145283->145269 145284->145272 145285->145275 145286->145281 145287->145280 145288 b114b9 145298 b114c2 145288->145298 145289 b11779 145366 b13fe0 145289->145366 145292 b11781 145404 b64870 15 API calls 145292->145404 145293 b11757 145403 b64870 15 API calls 145293->145403 145294 b116a9 145294->145292 145294->145293 145298->145289 145298->145294 145401 b01d90 15 API calls 145298->145401 145402 b01de0 20 API calls 145298->145402 145300 b119ac 145301 b11a84 145300->145301 145302 b11a5a 145300->145302 145408 b64870 15 API calls 145301->145408 145407 b64870 15 API calls 145302->145407 145306 b11cbf 145308 b11d97 145306->145308 145309 b11d6d 145306->145309 145412 b64870 15 API calls 145308->145412 145411 b64870 15 API calls 145309->145411 145310 b11fd2 145317 b12080 145310->145317 145318 b120aa 145310->145318 145311 b129e0 145351 b12c26 145311->145351 145365 b12cf5 145311->145365 145429 b01d90 15 API calls 145311->145429 145430 b01de0 20 API calls 145311->145430 145314 b117b3 145314->145300 145322 b11a7c 145314->145322 145405 b01d90 15 API calls 145314->145405 145406 b01de0 20 API calls 145314->145406 145415 b64870 15 API calls 145317->145415 145416 b64870 15 API calls 145318->145416 145319 b11d8f 145319->145310 145327 b120a2 145319->145327 145413 b01d90 15 API calls 145319->145413 145414 b01de0 20 API calls 145319->145414 145320 b126ce 145320->145311 145347 b12911 145320->145347 145425 b01d90 15 API calls 145320->145425 145426 b01de0 20 API calls 145320->145426 145322->145306 145322->145319 145409 b01d90 15 API calls 145322->145409 145410 b01de0 20 API calls 145322->145410 145325 b122ed 145328 b123c4 145325->145328 145329 b1239a 145325->145329 145327->145325 145332 b123bc 145327->145332 145417 b01d90 15 API calls 145327->145417 145418 b01de0 20 API calls 145327->145418 145420 b64870 15 API calls 145328->145420 145419 b64870 15 API calls 145329->145419 145331 b125ff 145336 b126d6 145331->145336 145337 b126ac 145331->145337 145332->145320 145332->145331 145421 b01d90 15 API calls 145332->145421 145422 b01de0 20 API calls 145332->145422 145424 b64870 15 API calls 145336->145424 145423 b64870 15 API calls 145337->145423 145342 b13011 145349 b1306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 145342->145349 145350 b130ce 145342->145350 145343 b129e8 145428 b64870 15 API calls 145343->145428 145344 b129be 145427 b64870 15 API calls 145344->145427 145347->145343 145347->145344 145349->145350 145453 39521f5 InitializeCriticalSectionAndSpinCount 145349->145453 145353 b12cd3 145351->145353 145354 b12cfd 145351->145354 145431 b64870 15 API calls 145353->145431 145432 b64870 15 API calls 145354->145432 145359 b13019 145436 b64870 15 API calls 145359->145436 145360 b12fef 145435 b64870 15 API calls 145360->145435 145361 b12f42 145361->145359 145361->145360 145365->145342 145365->145361 145433 b01d90 15 API calls 145365->145433 145434 b01de0 20 API calls 145365->145434 145372 b1400f 145366->145372 145368 b14bae 145368->145314 145369 b141c0 145370 b14274 145369->145370 145371 b1424a 145369->145371 145442 b64870 15 API calls 145370->145442 145441 b64870 15 API calls 145371->145441 145372->145369 145388 b1426c 145372->145388 145439 b01d90 15 API calls 145372->145439 145440 b01de0 20 API calls 145372->145440 145376 b14473 145378 b14527 145376->145378 145379 b144fd 145376->145379 145446 b64870 15 API calls 145378->145446 145445 b64870 15 API calls 145379->145445 145380 b14717 145385 b147a1 145380->145385 145386 b147cb 145380->145386 145449 b64870 15 API calls 145385->145449 145450 b64870 15 API calls 145386->145450 145388->145376 145395 b1451f 145388->145395 145443 b01d90 15 API calls 145388->145443 145444 b01de0 20 API calls 145388->145444 145392 b149bb 145392->145368 145393 b14a6d GetModuleHandleA GetProcAddress 145392->145393 145397 b14a9f ctype 145393->145397 145395->145380 145396 b147c3 145395->145396 145447 b01d90 15 API calls 145395->145447 145448 b01de0 20 API calls 145395->145448 145396->145392 145451 b01d90 15 API calls 145396->145451 145452 b01de0 20 API calls 145396->145452 145398 b14b3a VirtualProtect VirtualProtect 145397->145398 145437 b60910 145398->145437 145401->145298 145402->145298 145403->145289 145404->145289 145405->145314 145406->145314 145407->145322 145408->145322 145409->145322 145410->145322 145411->145319 145412->145319 145413->145319 145414->145319 145415->145327 145416->145327 145417->145327 145418->145327 145419->145332 145420->145332 145421->145332 145422->145332 145423->145320 145424->145320 145425->145320 145426->145320 145427->145311 145428->145311 145429->145311 145430->145311 145431->145365 145432->145365 145433->145365 145434->145365 145435->145342 145436->145342 145438 b14b84 VirtualProtect 145437->145438 145438->145368 145439->145372 145440->145372 145441->145388 145442->145388 145443->145388 145444->145388 145445->145395 145446->145395 145447->145395 145448->145395 145449->145396 145450->145396 145451->145396 145452->145396 145454 3952214 145453->145454 145455 3952219 CreateMutexA 145453->145455 145456 3952235 GetLastError 145455->145456 145457 3952678 ExitProcess 145455->145457 145456->145457 145458 3952246 145456->145458 145531 3953bd2 145458->145531 145460 395264f DeleteCriticalSection 145460->145457 145461 3952251 145461->145460 145535 39547e6 145461->145535 145464 3952647 145466 3953536 2 API calls 145464->145466 145466->145460 145471 39522e0 145558 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145471->145558 145473 39522ef 145559 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145473->145559 145475 39525df 145624 3953d76 EnterCriticalSection 145475->145624 145477 39525f8 145637 3953536 145477->145637 145478 39522fe 145478->145475 145560 39546d4 GetModuleHandleA 145478->145560 145481 3952360 145481->145475 145563 3951f2d GetUserDefaultUILanguage 145481->145563 145483 3953536 2 API calls 145485 3952610 145483->145485 145487 3953536 2 API calls 145485->145487 145489 395261b 145487->145489 145488 39523b4 145488->145454 145492 39523dd ExitProcess 145488->145492 145495 39523e5 145488->145495 145491 3953536 2 API calls 145489->145491 145490 39546d4 2 API calls 145490->145488 145493 3952626 145491->145493 145493->145464 145640 395536d 145493->145640 145496 3952412 ExitProcess 145495->145496 145497 395241a 145495->145497 145498 3952447 ExitProcess 145497->145498 145499 395244f 145497->145499 145574 3954ba2 145499->145574 145507 3952532 145652 3955239 145507->145652 145508 395251f 145509 39535db 11 API calls 145508->145509 145509->145507 145511 3952543 145512 3955239 4 API calls 145511->145512 145513 3952551 145512->145513 145514 3955239 4 API calls 145513->145514 145515 3952561 145514->145515 145516 3955239 4 API calls 145515->145516 145517 3952570 145516->145517 145518 3955239 4 API calls 145517->145518 145519 3952580 145518->145519 145520 3955239 4 API calls 145519->145520 145521 395258f 145520->145521 145656 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145521->145656 145523 3952599 145524 39525b2 145523->145524 145525 39525a2 GetModuleFileNameW 145523->145525 145526 3955239 4 API calls 145524->145526 145525->145524 145527 39525cc 145526->145527 145528 3955239 4 API calls 145527->145528 145529 39525d7 145528->145529 145530 3953536 2 API calls 145529->145530 145530->145475 145532 3953bda 145531->145532 145657 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145532->145657 145534 3953be5 145534->145461 145536 39546d4 2 API calls 145535->145536 145537 3954812 145536->145537 145538 3952283 145537->145538 145539 3955239 4 API calls 145537->145539 145538->145464 145544 39535db 145538->145544 145540 3954828 145539->145540 145541 3955239 4 API calls 145540->145541 145542 3954833 145541->145542 145543 3955239 4 API calls 145542->145543 145543->145538 145658 3952c08 145544->145658 145547 395484b 145548 3954860 VirtualAlloc 145547->145548 145551 39522c4 145547->145551 145549 395487f 145548->145549 145548->145551 145550 39546d4 2 API calls 145549->145550 145552 39548a1 145550->145552 145551->145464 145557 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145551->145557 145552->145551 145553 39548d0 GetCurrentProcess IsWow64Process 145552->145553 145555 3955239 4 API calls 145553->145555 145556 39548fa 145555->145556 145556->145551 145557->145471 145558->145473 145559->145478 145561 39546f2 LoadLibraryA 145560->145561 145562 39546ff 145560->145562 145561->145562 145562->145481 145565 3951fa0 145563->145565 145564 39535db 11 API calls 145566 3951fd8 145564->145566 145565->145564 145567 39535db 11 API calls 145566->145567 145568 3951fe7 GetKeyboardLayoutList 145567->145568 145569 3952042 145568->145569 145573 3952001 145568->145573 145570 39535db 11 API calls 145569->145570 145571 395204e 145570->145571 145571->145488 145571->145490 145572 39535db 11 API calls 145572->145573 145573->145569 145573->145572 145575 3952468 CreateThread CreateThread WaitForMultipleObjects 145574->145575 145576 3954bb8 145574->145576 145601 39519df 145575->145601 145833 3951d3c 145575->145833 145849 395519f 145575->145849 145577 39546d4 2 API calls 145576->145577 145578 3954be9 145577->145578 145578->145575 145579 39546d4 2 API calls 145578->145579 145580 3954bfe 145579->145580 145580->145575 145581 3954c06 KiUserCallbackDispatcher GetSystemMetrics 145580->145581 145582 3954c2b 145581->145582 145583 3954c51 GetDC 145582->145583 145583->145575 145584 3954c65 GetCurrentObject 145583->145584 145585 3954e17 ReleaseDC 145584->145585 145586 3954c78 GetObjectW 145584->145586 145585->145575 145586->145585 145587 3954c8f 145586->145587 145588 39535db 11 API calls 145587->145588 145589 3954caf DeleteObject CreateCompatibleDC 145588->145589 145589->145585 145590 3954d24 CreateDIBSection 145589->145590 145591 3954d45 SelectObject 145590->145591 145592 3954e10 DeleteDC 145590->145592 145593 3954d55 BitBlt 145591->145593 145594 3954e09 DeleteObject 145591->145594 145592->145585 145593->145594 145595 3954d7a 145593->145595 145594->145592 145673 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145595->145673 145597 3954d85 145597->145594 145598 3953d76 10 API calls 145597->145598 145599 3954dfe 145598->145599 145600 3953536 2 API calls 145599->145600 145600->145594 145602 39519ed 145601->145602 145606 3951a26 145601->145606 145604 3951a09 145602->145604 145674 3951000 145602->145674 145605 3951000 57 API calls 145604->145605 145604->145606 145605->145606 145607 3952054 145606->145607 145828 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145607->145828 145609 3952103 GetCurrentHwProfileA 145610 3952117 145609->145610 145611 395212d GetSystemInfo 145609->145611 145612 39535db 11 API calls 145610->145612 145613 39535db 11 API calls 145611->145613 145614 395212a 145612->145614 145615 395214f 145613->145615 145614->145611 145617 3953536 2 API calls 145615->145617 145616 3952079 145616->145609 145618 3952159 GlobalMemoryStatusEx 145617->145618 145619 39535db 11 API calls 145618->145619 145622 3952188 145619->145622 145620 39521db EnumDisplayDevicesA 145621 39521ee ObtainUserAgentString 145620->145621 145620->145622 145621->145507 145621->145508 145622->145620 145623 39535db 11 API calls 145622->145623 145623->145622 145625 3953ea4 LeaveCriticalSection 145624->145625 145626 3953d98 145624->145626 145625->145477 145626->145625 145829 3953d1c 6 API calls 145626->145829 145628 3953dc1 145628->145625 145830 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145628->145830 145630 3953dec 145831 3956c7f EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145630->145831 145632 3953df6 145633 3953536 2 API calls 145632->145633 145634 3953e4f 145633->145634 145635 3953536 2 API calls 145634->145635 145636 3953e9f 145635->145636 145636->145625 145638 3952605 145637->145638 145639 395353a GetProcessHeap RtlFreeHeap 145637->145639 145638->145483 145639->145638 145641 39546d4 2 API calls 145640->145641 145642 39553f0 145641->145642 145643 395546d socket 145642->145643 145651 39553f8 145642->145651 145644 3955491 145643->145644 145643->145651 145645 39554b1 connect 145644->145645 145644->145651 145646 3955517 Sleep 145645->145646 145647 39554c8 send 145645->145647 145646->145644 145647->145646 145648 39554ea send 145647->145648 145648->145646 145649 3955506 145648->145649 145650 3953536 2 API calls 145649->145650 145650->145651 145651->145493 145653 395525c 145652->145653 145654 3955288 145652->145654 145653->145654 145832 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145653->145832 145654->145511 145656->145523 145657->145534 145659 3952c18 145658->145659 145669 3952c26 145658->145669 145670 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145659->145670 145661 3952c76 145663 39522a9 145661->145663 145672 39551f6 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145661->145672 145663->145547 145664 3953036 145665 3953536 2 API calls 145664->145665 145665->145663 145667 3952e29 WideCharToMultiByte 145667->145669 145668 3952eb1 WideCharToMultiByte 145668->145669 145669->145661 145669->145667 145669->145668 145671 3952991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145669->145671 145670->145669 145671->145669 145672->145664 145673->145597 145675 3951412 145674->145675 145676 395101e 145674->145676 145675->145604 145676->145675 145711 395407d GetFileAttributesW 145676->145711 145678 3951035 145678->145675 145712 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145678->145712 145680 3951049 145713 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145680->145713 145682 3951052 145688 39513d5 145682->145688 145714 3953600 145682->145714 145683 3953536 2 API calls 145685 395140b 145683->145685 145687 3953536 2 API calls 145685->145687 145687->145675 145688->145683 145689 39513bd FindNextFileW 145689->145688 145693 3951173 145689->145693 145691 3953600 7 API calls 145691->145693 145692 3953eb6 41 API calls 145692->145693 145693->145689 145693->145691 145693->145692 145699 3951662 EnterCriticalSection 145693->145699 145702 3953536 GetProcessHeap RtlFreeHeap 145693->145702 145704 3953d76 10 API calls 145693->145704 145706 3951389 145693->145706 145709 3951000 53 API calls 145693->145709 145717 395446c 145693->145717 145749 395369c 145693->145749 145753 3951a62 145693->145753 145761 3951c94 145693->145761 145768 3951ba5 145693->145768 145805 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145693->145805 145694 39540ba 15 API calls 145694->145706 145779 3954e27 145699->145779 145702->145693 145704->145693 145706->145693 145706->145694 145707 3953600 7 API calls 145706->145707 145708 3953efc 43 API calls 145706->145708 145771 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145706->145771 145772 3953eb6 145706->145772 145707->145706 145708->145706 145709->145693 145711->145678 145712->145680 145713->145682 145806 3953084 145714->145806 145815 395407d GetFileAttributesW 145717->145815 145719 395447e 145720 39546cd 145719->145720 145816 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145719->145816 145720->145693 145722 3954494 145723 39546c5 145722->145723 145724 3953600 7 API calls 145722->145724 145725 3953536 2 API calls 145723->145725 145726 39544b1 145724->145726 145725->145720 145727 39544cf EnterCriticalSection 145726->145727 145728 3954539 LeaveCriticalSection 145727->145728 145729 395459b 145728->145729 145730 3954552 145728->145730 145729->145723 145731 39545be EnterCriticalSection 145729->145731 145730->145729 145732 395456f 145730->145732 145734 39545f5 LeaveCriticalSection 145731->145734 145818 39542ec 21 API calls 145732->145818 145737 3954691 EnterCriticalSection 145734->145737 145738 395460d 145734->145738 145735 3954574 145735->145729 145736 3954578 145735->145736 145739 3953536 2 API calls 145736->145739 145742 39546ba LeaveCriticalSection 145737->145742 145817 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145738->145817 145741 3954580 145739->145741 145744 395446c 29 API calls 145741->145744 145742->145723 145743 3954617 145743->145737 145746 3954634 EnterCriticalSection 145743->145746 145745 3954594 145744->145745 145745->145720 145747 3954675 LeaveCriticalSection 145746->145747 145747->145737 145748 3954689 145747->145748 145748->145737 145750 39536b0 145749->145750 145751 39536b4 145750->145751 145819 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145750->145819 145751->145693 145754 3951a7a 145753->145754 145756 3951a7f 145753->145756 145820 3951a2d EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145754->145820 145759 3951a84 145756->145759 145821 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145756->145821 145759->145693 145760 3951ab3 145760->145759 145822 3951a4f GetProcessHeap RtlFreeHeap 145760->145822 145762 39546d4 2 API calls 145761->145762 145763 3951ccd 145762->145763 145764 3951cfa 145763->145764 145765 3951cdd CryptUnprotectData 145763->145765 145764->145693 145765->145764 145766 3951d05 145765->145766 145766->145764 145767 3951d0c CryptProtectData 145766->145767 145767->145764 145823 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145768->145823 145770 3951bcb 145770->145693 145771->145706 145773 395446c 37 API calls 145772->145773 145774 3953ecc 145773->145774 145775 3953eeb 145774->145775 145777 3953d76 10 API calls 145774->145777 145776 3953536 2 API calls 145775->145776 145778 3953ef4 145776->145778 145777->145775 145778->145706 145780 3954e49 145779->145780 145781 3954e8a 145779->145781 145782 3953600 7 API calls 145780->145782 145790 395167e LeaveCriticalSection 145781->145790 145824 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145781->145824 145785 3954e80 145782->145785 145784 3954eaa 145825 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145784->145825 145826 395407d GetFileAttributesW 145785->145826 145788 3954eb4 145789 3953600 7 API calls 145788->145789 145791 3954ec2 FindFirstFileW 145789->145791 145790->145693 145792 3955183 145791->145792 145802 3954edf 145791->145802 145793 3953536 2 API calls 145792->145793 145794 395518a 145793->145794 145795 3953536 2 API calls 145794->145795 145795->145790 145796 395516b FindNextFileW 145796->145792 145796->145802 145797 3954f84 EnterCriticalSection 145799 3954e27 41 API calls 145797->145799 145800 3954f9f LeaveCriticalSection 145799->145800 145800->145796 145801 3954e27 41 API calls 145801->145802 145802->145796 145802->145797 145802->145801 145803 3953600 7 API calls 145802->145803 145804 3953eb6 41 API calls 145802->145804 145827 395407d GetFileAttributesW 145802->145827 145803->145802 145804->145802 145805->145693 145808 3953090 145806->145808 145807 3951156 FindFirstFileW 145807->145688 145807->145693 145808->145807 145810 395329d IsDBCSLeadByte 145808->145810 145812 3953308 IsDBCSLeadByte 145808->145812 145813 3953329 MultiByteToWideChar 145808->145813 145814 3952991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145808->145814 145810->145808 145811 39532aa MultiByteToWideChar 145810->145811 145811->145808 145812->145808 145813->145808 145814->145808 145815->145719 145816->145722 145817->145743 145818->145735 145819->145751 145820->145756 145821->145760 145822->145759 145823->145770 145824->145784 145825->145788 145826->145781 145827->145802 145828->145616 145829->145628 145830->145630 145831->145632 145832->145653 145834 3951f25 145833->145834 145835 3951d54 145833->145835 145835->145834 145836 3953600 7 API calls 145835->145836 145837 3951d75 FindFirstFileW 145836->145837 145837->145834 145838 3951d94 145837->145838 145857 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145838->145857 145840 3951f01 FindNextFileW 145841 3951f1c 145840->145841 145846 3951d9e 145840->145846 145842 3953536 2 API calls 145841->145842 145842->145834 145844 3953536 2 API calls 145844->145846 145845 3951d3c 41 API calls 145845->145846 145846->145840 145846->145844 145846->145845 145847 3953600 7 API calls 145846->145847 145848 3953eb6 41 API calls 145846->145848 145858 395408d 145846->145858 145847->145846 145848->145846 145850 39551ad 145849->145850 145851 39551ee 145849->145851 145864 3953508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145850->145864 145853 39551b7 145854 3954e27 45 API calls 145853->145854 145855 39551e7 145853->145855 145854->145853 145856 3953536 2 API calls 145855->145856 145856->145851 145857->145846 145860 3954095 145858->145860 145859 39540a7 145859->145846 145860->145859 145863 3953657 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145860->145863 145862 39540b7 145862->145846 145863->145862 145864->145853 145865 b27eea 145866 b27ef2 145865->145866 145867 b18b77 VirtualAlloc 145865->145867 145880 b18ba8 145867->145880 145868 b197c2 145874 b19815 VirtualAlloc 145868->145874 145916 b1985a 145868->145916 145869 b18db3 145871 b18e91 145869->145871 145872 b18e67 145869->145872 146020 b64870 15 API calls 145871->146020 146019 b64870 15 API calls 145872->146019 145879 b1983f 145874->145879 145874->145916 145877 b190cc 145881 b191a4 145877->145881 145882 b1917a 145877->145882 146033 b6106c RaiseException 145879->146033 145880->145869 145892 b18e89 145880->145892 146017 b01d90 15 API calls 145880->146017 146018 b01de0 20 API calls 145880->146018 146024 b64870 15 API calls 145881->146024 146023 b64870 15 API calls 145882->146023 145883 b193df 145889 b194b7 145883->145889 145890 b1948d 145883->145890 146028 b64870 15 API calls 145889->146028 146027 b64870 15 API calls 145890->146027 145892->145877 145901 b1919c 145892->145901 146021 b01d90 15 API calls 145892->146021 146022 b01de0 20 API calls 145892->146022 145895 b196f2 145897 b197a0 145895->145897 145898 b197ca 145895->145898 146031 b64870 15 API calls 145897->146031 146032 b64870 15 API calls 145898->146032 145901->145883 145903 b194af 145901->145903 146025 b01d90 15 API calls 145901->146025 146026 b01de0 20 API calls 145901->146026 145903->145868 145903->145895 146029 b01d90 15 API calls 145903->146029 146030 b01de0 20 API calls 145903->146030 145905 b19a68 145906 b19b40 145905->145906 145907 b19b16 145905->145907 146037 b64870 15 API calls 145906->146037 146036 b64870 15 API calls 145907->146036 145912 b19e53 146041 b64870 15 API calls 145912->146041 145913 b19e29 146040 b64870 15 API calls 145913->146040 145914 b19d7b 145914->145912 145914->145913 145916->145905 145924 b19b38 145916->145924 146034 b01d90 15 API calls 145916->146034 146035 b01de0 20 API calls 145916->146035 145919 b1a09a 145921 b1a172 145919->145921 145922 b1a148 145919->145922 146045 b64870 15 API calls 145921->146045 146044 b64870 15 API calls 145922->146044 145924->145914 145931 b19e4b 145924->145931 146038 b01d90 15 API calls 145924->146038 146039 b01de0 20 API calls 145924->146039 145928 b1a3ad 145929 b1a485 145928->145929 145930 b1a45b 145928->145930 146049 b64870 15 API calls 145929->146049 146048 b64870 15 API calls 145930->146048 145931->145919 145942 b1a16a 145931->145942 146042 b01d90 15 API calls 145931->146042 146043 b01de0 20 API calls 145931->146043 145935 b1a6ca 145937 b1a7a2 145935->145937 145938 b1a778 145935->145938 146053 b64870 15 API calls 145937->146053 146052 b64870 15 API calls 145938->146052 145940 b1a9dd 145945 b1aab5 145940->145945 145946 b1aa8b 145940->145946 145942->145928 145950 b1a47d 145942->145950 146046 b01d90 15 API calls 145942->146046 146047 b01de0 20 API calls 145942->146047 146057 b64870 15 API calls 145945->146057 146056 b64870 15 API calls 145946->146056 145948 b1ad04 145953 b1adb2 145948->145953 145954 b1addc 145948->145954 145950->145935 145957 b1a79a 145950->145957 146050 b01d90 15 API calls 145950->146050 146051 b01de0 20 API calls 145950->146051 146060 b64870 15 API calls 145953->146060 146061 b64870 15 API calls 145954->146061 145955 b1b017 145961 b1b0c5 145955->145961 145962 b1b0ef 145955->145962 145957->145940 145963 b1aaad 145957->145963 146054 b01d90 15 API calls 145957->146054 146055 b01de0 20 API calls 145957->146055 146064 b64870 15 API calls 145961->146064 146065 b64870 15 API calls 145962->146065 145963->145948 145975 b1add4 145963->145975 146058 b01d90 15 API calls 145963->146058 146059 b01de0 20 API calls 145963->146059 145968 b1b336 145969 b1b3e4 145968->145969 145970 b1b40e 145968->145970 146068 b64870 15 API calls 145969->146068 146069 b64870 15 API calls 145970->146069 145973 b1b661 145977 b1b715 145973->145977 145978 b1b73f 145973->145978 145975->145955 145980 b1b0e7 145975->145980 146062 b01d90 15 API calls 145975->146062 146063 b01de0 20 API calls 145975->146063 146072 b64870 15 API calls 145977->146072 146073 b64870 15 API calls 145978->146073 145980->145968 145985 b1b406 145980->145985 146066 b01d90 15 API calls 145980->146066 146067 b01de0 20 API calls 145980->146067 145984 b1b9af 145986 b1ba63 145984->145986 145987 b1ba8d 145984->145987 145985->145973 145994 b1b737 ctype 145985->145994 146070 b01d90 15 API calls 145985->146070 146071 b01de0 20 API calls 145985->146071 146076 b64870 15 API calls 145986->146076 146077 b64870 15 API calls 145987->146077 145988 b1c4b7 145993 b1bce0 145995 b1bd94 145993->145995 145996 b1bdbe 145993->145996 145994->145984 146000 b1ba85 145994->146000 146074 b01d90 15 API calls 145994->146074 146075 b01de0 20 API calls 145994->146075 146080 b64870 15 API calls 145995->146080 146081 b64870 15 API calls 145996->146081 146000->145993 146013 b1bdb6 ctype 146000->146013 146078 b01d90 15 API calls 146000->146078 146079 b01de0 20 API calls 146000->146079 146002 b1c0b2 146003 b1c165 146002->146003 146004 b1c18f 146002->146004 146084 b64870 15 API calls 146003->146084 146085 b64870 15 API calls 146004->146085 146008 b1c3e2 146010 b1c495 146008->146010 146011 b1c4bf 146008->146011 146088 b64870 15 API calls 146010->146088 146089 b64870 15 API calls 146011->146089 146013->146002 146016 b1c187 146013->146016 146082 b01d90 15 API calls 146013->146082 146083 b01de0 20 API calls 146013->146083 146016->145988 146016->146008 146086 b01d90 15 API calls 146016->146086 146087 b01de0 20 API calls 146016->146087 146017->145880 146018->145880 146019->145892 146020->145892 146021->145892 146022->145892 146023->145901 146024->145901 146025->145901 146026->145901 146027->145903 146028->145903 146029->145903 146030->145903 146031->145868 146032->145868 146033->145916 146034->145916 146035->145916 146036->145924 146037->145924 146038->145924 146039->145924 146040->145931 146041->145931 146042->145931 146043->145931 146044->145942 146045->145942 146046->145942 146047->145942 146048->145950 146049->145950 146050->145950 146051->145950 146052->145957 146053->145957 146054->145957 146055->145957 146056->145963 146057->145963 146058->145963 146059->145963 146060->145975 146061->145975 146062->145975 146063->145975 146064->145980 146065->145980 146066->145980 146067->145980 146068->145985 146069->145985 146070->145985 146071->145985 146072->145994 146073->145994 146074->145994 146075->145994 146076->146000 146077->146000 146078->146000 146079->146000 146080->146013 146081->146013 146082->146013 146083->146013 146084->146016 146085->146016 146086->146016 146087->146016 146088->145988 146089->145988 146090 b15d29 146100 b15d32 146090->146100 146091 b15f2e 146093 b16006 146091->146093 146094 b15fdc 146091->146094 146365 b64870 15 API calls 146093->146365 146364 b64870 15 API calls 146094->146364 146099 b16250 146101 b16327 146099->146101 146102 b162fd 146099->146102 146100->146091 146111 b15ffe 146100->146111 146362 b01d90 15 API calls 146100->146362 146363 b01de0 20 API calls 146100->146363 146369 b64870 15 API calls 146101->146369 146368 b64870 15 API calls 146102->146368 146104 b16562 146108 b16639 146104->146108 146109 b1660f 146104->146109 146373 b64870 15 API calls 146108->146373 146372 b64870 15 API calls 146109->146372 146111->146099 146120 b1631f 146111->146120 146360 b1c4b7 146111->146360 146366 b01d90 15 API calls 146111->146366 146367 b01de0 20 API calls 146111->146367 146114 b16880 146116 b16958 146114->146116 146117 b1692e 146114->146117 146377 b64870 15 API calls 146116->146377 146376 b64870 15 API calls 146117->146376 146118 b16b93 146124 b16c41 146118->146124 146125 b16c6b 146118->146125 146120->146104 146126 b16631 146120->146126 146370 b01d90 15 API calls 146120->146370 146371 b01de0 20 API calls 146120->146371 146380 b64870 15 API calls 146124->146380 146381 b64870 15 API calls 146125->146381 146126->146114 146139 b16950 146126->146139 146374 b01d90 15 API calls 146126->146374 146375 b01de0 20 API calls 146126->146375 146130 b16eb7 146132 b16f64 146130->146132 146133 b16f8e 146130->146133 146384 b64870 15 API calls 146132->146384 146385 b64870 15 API calls 146133->146385 146137 b171c9 146140 b172a0 146137->146140 146141 b17276 146137->146141 146139->146118 146145 b16c63 146139->146145 146378 b01d90 15 API calls 146139->146378 146379 b01de0 20 API calls 146139->146379 146389 b64870 15 API calls 146140->146389 146388 b64870 15 API calls 146141->146388 146143 b174e7 146148 b17595 146143->146148 146149 b175bf 146143->146149 146145->146130 146152 b16f86 146145->146152 146382 b01d90 15 API calls 146145->146382 146383 b01de0 20 API calls 146145->146383 146392 b64870 15 API calls 146148->146392 146393 b64870 15 API calls 146149->146393 146150 b177fa 146156 b178d2 146150->146156 146157 b178a8 146150->146157 146152->146137 146159 b17298 146152->146159 146386 b01d90 15 API calls 146152->146386 146387 b01de0 20 API calls 146152->146387 146397 b64870 15 API calls 146156->146397 146396 b64870 15 API calls 146157->146396 146159->146143 146166 b175b7 146159->146166 146390 b01d90 15 API calls 146159->146390 146391 b01de0 20 API calls 146159->146391 146163 b17be5 146401 b64870 15 API calls 146163->146401 146164 b17bbb 146400 b64870 15 API calls 146164->146400 146165 b17b0d 146165->146163 146165->146164 146166->146150 146178 b178ca 146166->146178 146394 b01d90 15 API calls 146166->146394 146395 b01de0 20 API calls 146166->146395 146170 b17e20 146172 b17ef8 146170->146172 146173 b17ece 146170->146173 146405 b64870 15 API calls 146172->146405 146404 b64870 15 API calls 146173->146404 146174 b18b71 VirtualAlloc 146230 b18ba8 146174->146230 146176 b18133 146181 b181e1 146176->146181 146182 b1820b 146176->146182 146178->146165 146186 b17bdd 146178->146186 146398 b01d90 15 API calls 146178->146398 146399 b01de0 20 API calls 146178->146399 146408 b64870 15 API calls 146181->146408 146409 b64870 15 API calls 146182->146409 146184 b18446 146189 b184f4 146184->146189 146190 b1851e 146184->146190 146186->146170 146192 b17ef0 146186->146192 146402 b01d90 15 API calls 146186->146402 146403 b01de0 20 API calls 146186->146403 146412 b64870 15 API calls 146189->146412 146413 b64870 15 API calls 146190->146413 146192->146176 146199 b18203 146192->146199 146406 b01d90 15 API calls 146192->146406 146407 b01de0 20 API calls 146192->146407 146196 b18759 146197 b18831 146196->146197 146198 b18807 146196->146198 146417 b64870 15 API calls 146197->146417 146416 b64870 15 API calls 146198->146416 146199->146184 146211 b18516 146199->146211 146410 b01d90 15 API calls 146199->146410 146411 b01de0 20 API calls 146199->146411 146203 b18a6c 146206 b18b44 146203->146206 146207 b18b1a 146203->146207 146205 b197c2 146218 b19815 VirtualAlloc 146205->146218 146261 b1985a 146205->146261 146421 b64870 15 API calls 146206->146421 146420 b64870 15 API calls 146207->146420 146209 b18db3 146214 b18e91 146209->146214 146215 b18e67 146209->146215 146211->146196 146221 b18829 146211->146221 146414 b01d90 15 API calls 146211->146414 146415 b01de0 20 API calls 146211->146415 146425 b64870 15 API calls 146214->146425 146424 b64870 15 API calls 146215->146424 146216 b18b3c 146216->146174 146224 b1983f 146218->146224 146218->146261 146219 b190cc 146225 b191a4 146219->146225 146226 b1917a 146219->146226 146221->146174 146221->146203 146418 b01d90 15 API calls 146221->146418 146419 b01de0 20 API calls 146221->146419 146438 b6106c RaiseException 146224->146438 146429 b64870 15 API calls 146225->146429 146428 b64870 15 API calls 146226->146428 146227 b193df 146234 b194b7 146227->146234 146235 b1948d 146227->146235 146230->146209 146236 b18e89 146230->146236 146422 b01d90 15 API calls 146230->146422 146423 b01de0 20 API calls 146230->146423 146433 b64870 15 API calls 146234->146433 146432 b64870 15 API calls 146235->146432 146236->146219 146246 b1919c 146236->146246 146426 b01d90 15 API calls 146236->146426 146427 b01de0 20 API calls 146236->146427 146240 b196f2 146242 b197a0 146240->146242 146243 b197ca 146240->146243 146436 b64870 15 API calls 146242->146436 146437 b64870 15 API calls 146243->146437 146246->146227 146248 b194af 146246->146248 146430 b01d90 15 API calls 146246->146430 146431 b01de0 20 API calls 146246->146431 146248->146205 146248->146240 146434 b01d90 15 API calls 146248->146434 146435 b01de0 20 API calls 146248->146435 146250 b19a68 146251 b19b40 146250->146251 146252 b19b16 146250->146252 146442 b64870 15 API calls 146251->146442 146441 b64870 15 API calls 146252->146441 146257 b19d7b 146258 b19e53 146257->146258 146259 b19e29 146257->146259 146446 b64870 15 API calls 146258->146446 146445 b64870 15 API calls 146259->146445 146261->146250 146269 b19b38 146261->146269 146439 b01d90 15 API calls 146261->146439 146440 b01de0 20 API calls 146261->146440 146264 b1a09a 146266 b1a172 146264->146266 146267 b1a148 146264->146267 146450 b64870 15 API calls 146266->146450 146449 b64870 15 API calls 146267->146449 146269->146257 146276 b19e4b 146269->146276 146443 b01d90 15 API calls 146269->146443 146444 b01de0 20 API calls 146269->146444 146273 b1a3ad 146274 b1a485 146273->146274 146275 b1a45b 146273->146275 146454 b64870 15 API calls 146274->146454 146453 b64870 15 API calls 146275->146453 146276->146264 146287 b1a16a 146276->146287 146447 b01d90 15 API calls 146276->146447 146448 b01de0 20 API calls 146276->146448 146280 b1a6ca 146282 b1a7a2 146280->146282 146283 b1a778 146280->146283 146458 b64870 15 API calls 146282->146458 146457 b64870 15 API calls 146283->146457 146285 b1a9dd 146290 b1aab5 146285->146290 146291 b1aa8b 146285->146291 146287->146273 146295 b1a47d 146287->146295 146451 b01d90 15 API calls 146287->146451 146452 b01de0 20 API calls 146287->146452 146462 b64870 15 API calls 146290->146462 146461 b64870 15 API calls 146291->146461 146293 b1ad04 146298 b1adb2 146293->146298 146299 b1addc 146293->146299 146295->146280 146302 b1a79a 146295->146302 146455 b01d90 15 API calls 146295->146455 146456 b01de0 20 API calls 146295->146456 146465 b64870 15 API calls 146298->146465 146466 b64870 15 API calls 146299->146466 146300 b1b017 146306 b1b0c5 146300->146306 146307 b1b0ef 146300->146307 146302->146285 146308 b1aaad 146302->146308 146459 b01d90 15 API calls 146302->146459 146460 b01de0 20 API calls 146302->146460 146469 b64870 15 API calls 146306->146469 146470 b64870 15 API calls 146307->146470 146308->146293 146320 b1add4 146308->146320 146463 b01d90 15 API calls 146308->146463 146464 b01de0 20 API calls 146308->146464 146312 b1b336 146314 b1b3e4 146312->146314 146315 b1b40e 146312->146315 146473 b64870 15 API calls 146314->146473 146474 b64870 15 API calls 146315->146474 146318 b1b661 146322 b1b715 146318->146322 146323 b1b73f 146318->146323 146320->146300 146325 b1b0e7 146320->146325 146467 b01d90 15 API calls 146320->146467 146468 b01de0 20 API calls 146320->146468 146477 b64870 15 API calls 146322->146477 146478 b64870 15 API calls 146323->146478 146325->146312 146330 b1b406 146325->146330 146471 b01d90 15 API calls 146325->146471 146472 b01de0 20 API calls 146325->146472 146329 b1b9af 146331 b1ba63 146329->146331 146332 b1ba8d 146329->146332 146330->146318 146338 b1b737 ctype 146330->146338 146475 b01d90 15 API calls 146330->146475 146476 b01de0 20 API calls 146330->146476 146481 b64870 15 API calls 146331->146481 146482 b64870 15 API calls 146332->146482 146337 b1bce0 146339 b1bd94 146337->146339 146340 b1bdbe 146337->146340 146338->146329 146345 b1ba85 146338->146345 146479 b01d90 15 API calls 146338->146479 146480 b01de0 20 API calls 146338->146480 146485 b64870 15 API calls 146339->146485 146486 b64870 15 API calls 146340->146486 146344 b1c0b2 146347 b1c165 146344->146347 146348 b1c18f 146344->146348 146345->146337 146357 b1bdb6 ctype 146345->146357 146483 b01d90 15 API calls 146345->146483 146484 b01de0 20 API calls 146345->146484 146489 b64870 15 API calls 146347->146489 146490 b64870 15 API calls 146348->146490 146352 b1c3e2 146354 b1c495 146352->146354 146355 b1c4bf 146352->146355 146493 b64870 15 API calls 146354->146493 146494 b64870 15 API calls 146355->146494 146357->146344 146361 b1c187 146357->146361 146487 b01d90 15 API calls 146357->146487 146488 b01de0 20 API calls 146357->146488 146361->146352 146361->146360 146491 b01d90 15 API calls 146361->146491 146492 b01de0 20 API calls 146361->146492 146362->146100 146363->146100 146364->146111 146365->146111 146366->146111 146367->146111 146368->146120 146369->146120 146370->146120 146371->146120 146372->146126 146373->146126 146374->146126 146375->146126 146376->146139 146377->146139 146378->146139 146379->146139 146380->146145 146381->146145 146382->146145 146383->146145 146384->146152 146385->146152 146386->146152 146387->146152 146388->146159 146389->146159 146390->146159 146391->146159 146392->146166 146393->146166 146394->146166 146395->146166 146396->146178 146397->146178 146398->146178 146399->146178 146400->146186 146401->146186 146402->146186 146403->146186 146404->146192 146405->146192 146406->146192 146407->146192 146408->146199 146409->146199 146410->146199 146411->146199 146412->146211 146413->146211 146414->146211 146415->146211 146416->146221 146417->146221 146418->146221 146419->146221 146420->146216 146421->146216 146422->146230 146423->146230 146424->146236 146425->146236 146426->146236 146427->146236 146428->146246 146429->146246 146430->146246 146431->146246 146432->146248 146433->146248 146434->146248 146435->146248 146436->146205 146437->146205 146438->146261 146439->146261 146440->146261 146441->146269 146442->146269 146443->146269 146444->146269 146445->146276 146446->146276 146447->146276 146448->146276 146449->146287 146450->146287 146451->146287 146452->146287 146453->146295 146454->146295 146455->146295 146456->146295 146457->146302 146458->146302 146459->146302 146460->146302 146461->146308 146462->146308 146463->146308 146464->146308 146465->146320 146466->146320 146467->146320 146468->146320 146469->146325 146470->146325 146471->146325 146472->146325 146473->146330 146474->146330 146475->146330 146476->146330 146477->146338 146478->146338 146479->146338 146480->146338 146481->146345 146482->146345 146483->146345 146484->146345 146485->146357 146486->146357 146487->146357 146488->146357 146489->146361 146490->146361 146491->146361 146492->146361 146493->146360 146494->146360 146495 b05ed9 146506 b05ee2 146495->146506 146496 b061ae 146497 b061f5 LoadLibraryA 146496->146497 146498 b06205 146497->146498 146518 b0621e 146497->146518 146500 b061b6 146913 b64870 15 API calls 146500->146913 146501 b0618c 146912 b64870 15 API calls 146501->146912 146502 b060de 146502->146500 146502->146501 146506->146496 146506->146502 146910 b01d90 15 API calls 146506->146910 146911 b01de0 20 API calls 146506->146911 146507 b0680d 146508 b06854 GetProcAddress 146507->146508 146538 b06877 146508->146538 146509 b0642c 146511 b06503 146509->146511 146512 b064d9 146509->146512 146917 b64870 15 API calls 146511->146917 146916 b64870 15 API calls 146512->146916 146517 b0673e 146519 b06815 146517->146519 146520 b067eb 146517->146520 146518->146509 146524 b064fb 146518->146524 146914 b01d90 15 API calls 146518->146914 146915 b01de0 20 API calls 146518->146915 146921 b64870 15 API calls 146519->146921 146920 b64870 15 API calls 146520->146920 146524->146507 146524->146517 146918 b01d90 15 API calls 146524->146918 146919 b01de0 20 API calls 146524->146919 146525 b06a73 146527 b06b21 146525->146527 146528 b06b4b 146525->146528 146924 b64870 15 API calls 146527->146924 146925 b64870 15 API calls 146528->146925 146529 b07099 146545 b07171 146529->146545 146546 b07147 146529->146546 146533 b06d86 146535 b06e34 146533->146535 146536 b06e5e 146533->146536 146928 b64870 15 API calls 146535->146928 146929 b64870 15 API calls 146536->146929 146537 b06b43 146537->146533 146548 b06e56 146537->146548 146926 b01d90 15 API calls 146537->146926 146927 b01de0 20 API calls 146537->146927 146538->146525 146538->146537 146922 b01d90 15 API calls 146538->146922 146923 b01de0 20 API calls 146538->146923 146541 b07aa2 146573 b07ce5 146541->146573 146587 b07db5 146541->146587 146946 b01d90 15 API calls 146541->146946 146947 b01de0 20 API calls 146541->146947 146543 b07169 146551 b073ac 146543->146551 146554 b0747c 146543->146554 146934 b01d90 15 API calls 146543->146934 146935 b01de0 20 API calls 146543->146935 146933 b64870 15 API calls 146545->146933 146932 b64870 15 API calls 146546->146932 146547 b076bf 146561 b07797 146547->146561 146562 b0776d 146547->146562 146548->146529 146548->146543 146930 b01d90 15 API calls 146548->146930 146931 b01de0 20 API calls 146548->146931 146555 b07484 146551->146555 146556 b0745a 146551->146556 146554->146547 146580 b0778f 146554->146580 146938 b01d90 15 API calls 146554->146938 146939 b01de0 20 API calls 146554->146939 146937 b64870 15 API calls 146555->146937 146936 b64870 15 API calls 146556->146936 146941 b64870 15 API calls 146561->146941 146940 b64870 15 API calls 146562->146940 146567 b07a80 146944 b64870 15 API calls 146567->146944 146568 b07aaa 146945 b64870 15 API calls 146568->146945 146569 b079d2 146569->146567 146569->146568 146575 b07d93 146573->146575 146576 b07dbd 146573->146576 146948 b64870 15 API calls 146575->146948 146949 b64870 15 API calls 146576->146949 146578 b086ee 146586 b08735 GetProcAddress 146578->146586 146580->146541 146580->146569 146942 b01d90 15 API calls 146580->146942 146943 b01de0 20 API calls 146580->146943 146583 b07ff8 146584 b080d0 146583->146584 146585 b080a6 146583->146585 146953 b64870 15 API calls 146584->146953 146952 b64870 15 API calls 146585->146952 146616 b08758 146586->146616 146587->146583 146600 b080c8 146587->146600 146950 b01d90 15 API calls 146587->146950 146951 b01de0 20 API calls 146587->146951 146589 b0830b 146593 b083e3 146589->146593 146594 b083b9 146589->146594 146957 b64870 15 API calls 146593->146957 146956 b64870 15 API calls 146594->146956 146595 b0861e 146601 b086f6 146595->146601 146602 b086cc 146595->146602 146600->146589 146606 b083db 146600->146606 146954 b01d90 15 API calls 146600->146954 146955 b01de0 20 API calls 146600->146955 146961 b64870 15 API calls 146601->146961 146960 b64870 15 API calls 146602->146960 146606->146578 146606->146595 146958 b01d90 15 API calls 146606->146958 146959 b01de0 20 API calls 146606->146959 146608 b08954 146609 b08a02 146608->146609 146610 b08a2c 146608->146610 146964 b64870 15 API calls 146609->146964 146965 b64870 15 API calls 146610->146965 146613 b08c67 146617 b08d15 146613->146617 146618 b08d3f 146613->146618 146616->146608 146627 b08a24 146616->146627 146962 b01d90 15 API calls 146616->146962 146963 b01de0 20 API calls 146616->146963 146968 b64870 15 API calls 146617->146968 146969 b64870 15 API calls 146618->146969 146623 b09052 146973 b64870 15 API calls 146623->146973 146624 b09028 146972 b64870 15 API calls 146624->146972 146625 b08f7a 146625->146623 146625->146624 146627->146613 146636 b08d37 146627->146636 146966 b01d90 15 API calls 146627->146966 146967 b01de0 20 API calls 146627->146967 146631 b099a1 146635 b099e8 GetProcAddress 146631->146635 146632 b0928d 146633 b09365 146632->146633 146634 b0933b 146632->146634 146977 b64870 15 API calls 146633->146977 146976 b64870 15 API calls 146634->146976 146669 b09a14 146635->146669 146636->146625 146644 b0904a 146636->146644 146970 b01d90 15 API calls 146636->146970 146971 b01de0 20 API calls 146636->146971 146641 b09678 146981 b64870 15 API calls 146641->146981 146642 b0964e 146980 b64870 15 API calls 146642->146980 146643 b095a0 146643->146641 146643->146642 146644->146632 146653 b0935d 146644->146653 146974 b01d90 15 API calls 146644->146974 146975 b01de0 20 API calls 146644->146975 146649 b098cb 146650 b099a9 146649->146650 146651 b0997f 146649->146651 146985 b64870 15 API calls 146650->146985 146984 b64870 15 API calls 146651->146984 146653->146643 146656 b09670 146653->146656 146978 b01d90 15 API calls 146653->146978 146979 b01de0 20 API calls 146653->146979 146656->146631 146656->146649 146982 b01d90 15 API calls 146656->146982 146983 b01de0 20 API calls 146656->146983 146658 b09c1f 146659 b09cd2 146658->146659 146660 b09cfc 146658->146660 146988 b64870 15 API calls 146659->146988 146989 b64870 15 API calls 146660->146989 146665 b09f4f 146666 b0a002 146665->146666 146667 b0a02c 146665->146667 146992 b64870 15 API calls 146666->146992 146993 b64870 15 API calls 146667->146993 146669->146658 146676 b09cf4 146669->146676 146986 b01d90 15 API calls 146669->146986 146987 b01de0 20 API calls 146669->146987 146673 b0a27f 146674 b0a332 146673->146674 146675 b0a35c 146673->146675 146996 b64870 15 API calls 146674->146996 146997 b64870 15 API calls 146675->146997 146676->146665 146687 b0a024 146676->146687 146990 b01d90 15 API calls 146676->146990 146991 b01de0 20 API calls 146676->146991 146680 b0a5af 146682 b0a662 146680->146682 146683 b0a68c 146680->146683 147000 b64870 15 API calls 146682->147000 147001 b64870 15 API calls 146683->147001 146685 b0a8df 146690 b0a992 146685->146690 146691 b0a9bc 146685->146691 146687->146673 146694 b0a354 146687->146694 146994 b01d90 15 API calls 146687->146994 146995 b01de0 20 API calls 146687->146995 147004 b64870 15 API calls 146690->147004 147005 b64870 15 API calls 146691->147005 146694->146680 146701 b0a684 146694->146701 146998 b01d90 15 API calls 146694->146998 146999 b01de0 20 API calls 146694->146999 146697 b0ac0f 146698 b0acc2 146697->146698 146699 b0acec 146697->146699 147008 b64870 15 API calls 146698->147008 147009 b64870 15 API calls 146699->147009 146701->146685 146710 b0a9b4 146701->146710 147002 b01d90 15 API calls 146701->147002 147003 b01de0 20 API calls 146701->147003 146705 b0b674 146709 b0b6bb GetProcAddress 146705->146709 146706 b0af3f 146707 b0aff2 146706->146707 146708 b0b01c 146706->146708 147012 b64870 15 API calls 146707->147012 147013 b64870 15 API calls 146708->147013 146742 b0b6e7 146709->146742 146710->146697 146723 b0ace4 146710->146723 147006 b01d90 15 API calls 146710->147006 147007 b01de0 20 API calls 146710->147007 146714 b0b26f 146716 b0b322 146714->146716 146717 b0b34c 146714->146717 147016 b64870 15 API calls 146716->147016 147017 b64870 15 API calls 146717->147017 146721 b0b59f 146724 b0b652 146721->146724 146725 b0b67c 146721->146725 146723->146706 146727 b0b014 146723->146727 147010 b01d90 15 API calls 146723->147010 147011 b01de0 20 API calls 146723->147011 147020 b64870 15 API calls 146724->147020 147021 b64870 15 API calls 146725->147021 146727->146714 146730 b0b344 146727->146730 147014 b01d90 15 API calls 146727->147014 147015 b01de0 20 API calls 146727->147015 146730->146705 146730->146721 147018 b01d90 15 API calls 146730->147018 147019 b01de0 20 API calls 146730->147019 146732 b0b9d0 147025 b64870 15 API calls 146732->147025 146733 b0b9a6 147024 b64870 15 API calls 146733->147024 146734 b0c68c 146741 b0c6e5 FreeLibrary 146734->146741 146785 b0c708 146734->146785 146735 b0b8f2 146735->146732 146735->146733 146737 b0bc23 146743 b0bd01 146737->146743 146744 b0bcd7 146737->146744 146741->146498 146742->146735 146752 b0b9c8 146742->146752 147022 b01d90 15 API calls 146742->147022 147023 b01de0 20 API calls 146742->147023 147029 b64870 15 API calls 146743->147029 147028 b64870 15 API calls 146744->147028 146749 b0bf54 146750 b0c032 146749->146750 146751 b0c008 146749->146751 147033 b64870 15 API calls 146750->147033 147032 b64870 15 API calls 146751->147032 146752->146737 146763 b0bcf9 146752->146763 147026 b01d90 15 API calls 146752->147026 147027 b01de0 20 API calls 146752->147027 146756 b0c285 146758 b0c363 146756->146758 146759 b0c339 146756->146759 147037 b64870 15 API calls 146758->147037 147036 b64870 15 API calls 146759->147036 146761 b0c5b6 146766 b0c694 146761->146766 146767 b0c66a 146761->146767 146763->146749 146769 b0c02a 146763->146769 147030 b01d90 15 API calls 146763->147030 147031 b01de0 20 API calls 146763->147031 147041 b64870 15 API calls 146766->147041 147040 b64870 15 API calls 146767->147040 146769->146756 146772 b0c35b 146769->146772 147034 b01d90 15 API calls 146769->147034 147035 b01de0 20 API calls 146769->147035 146772->146734 146772->146761 147038 b01d90 15 API calls 146772->147038 147039 b01de0 20 API calls 146772->147039 146774 b0c92e 146775 b0c9e1 146774->146775 146776 b0ca0b 146774->146776 147044 b64870 15 API calls 146775->147044 147045 b64870 15 API calls 146776->147045 146777 b0cc5e 146782 b0cd11 146777->146782 146783 b0cd3b 146777->146783 147048 b64870 15 API calls 146782->147048 147049 b64870 15 API calls 146783->147049 146785->146774 146792 b0ca03 146785->146792 147042 b01d90 15 API calls 146785->147042 147043 b01de0 20 API calls 146785->147043 146789 b0d041 147052 b64870 15 API calls 146789->147052 146790 b0d06b 147053 b64870 15 API calls 146790->147053 146791 b0cf8e 146791->146789 146791->146790 146792->146777 146803 b0cd33 146792->146803 147046 b01d90 15 API calls 146792->147046 147047 b01de0 20 API calls 146792->147047 146797 b0d2be 146798 b0d371 146797->146798 146799 b0d39b 146797->146799 147056 b64870 15 API calls 146798->147056 147057 b64870 15 API calls 146799->147057 146801 b0d5ee 146806 b0d6a1 146801->146806 146807 b0d6cb 146801->146807 146803->146791 146809 b0d063 146803->146809 147050 b01d90 15 API calls 146803->147050 147051 b01de0 20 API calls 146803->147051 147060 b64870 15 API calls 146806->147060 147061 b64870 15 API calls 146807->147061 146809->146797 146812 b0d393 146809->146812 147054 b01d90 15 API calls 146809->147054 147055 b01de0 20 API calls 146809->147055 146812->146801 146824 b0d6c3 146812->146824 147058 b01d90 15 API calls 146812->147058 147059 b01de0 20 API calls 146812->147059 146814 b0d936 146815 b0da13 146814->146815 146816 b0d9e9 146814->146816 147065 b64870 15 API calls 146815->147065 147064 b64870 15 API calls 146816->147064 146821 b0dc66 146822 b0dd43 146821->146822 146823 b0dd19 146821->146823 147069 b64870 15 API calls 146822->147069 147068 b64870 15 API calls 146823->147068 146824->146814 146837 b0da0b 146824->146837 147062 b01d90 15 API calls 146824->147062 147063 b01de0 20 API calls 146824->147063 146828 b0df96 146830 b0e073 146828->146830 146831 b0e049 146828->146831 147073 b64870 15 API calls 146830->147073 147072 b64870 15 API calls 146831->147072 146834 b0e9dd 146841 b0ea38 InternetOpenA 146834->146841 146835 b0e2c6 146839 b0e3a3 146835->146839 146840 b0e379 146835->146840 146837->146821 146845 b0dd3b 146837->146845 147066 b01d90 15 API calls 146837->147066 147067 b01de0 20 API calls 146837->147067 147077 b64870 15 API calls 146839->147077 147076 b64870 15 API calls 146840->147076 146874 b0ea57 146841->146874 146843 b0e5de 146848 b0e6b5 146843->146848 146849 b0e68b 146843->146849 146845->146828 146852 b0e06b 146845->146852 147070 b01d90 15 API calls 146845->147070 147071 b01de0 20 API calls 146845->147071 147081 b64870 15 API calls 146848->147081 147080 b64870 15 API calls 146849->147080 146850 b0e908 146857 b0e9e5 146850->146857 146858 b0e9bb 146850->146858 146852->146835 146859 b0e39b 146852->146859 147074 b01d90 15 API calls 146852->147074 147075 b01de0 20 API calls 146852->147075 146856 b0f036 146863 b0f074 FreeLibrary 146856->146863 146897 b0f097 146856->146897 147085 b64870 15 API calls 146857->147085 147084 b64870 15 API calls 146858->147084 146859->146843 146864 b0e6ad 146859->146864 147078 b01d90 15 API calls 146859->147078 147079 b01de0 20 API calls 146859->147079 146863->146498 146864->146834 146864->146850 147082 b01d90 15 API calls 146864->147082 147083 b01de0 20 API calls 146864->147083 146866 b0ed01 147088 b64870 15 API calls 146866->147088 146867 b0ed2b 147089 b64870 15 API calls 146867->147089 146868 b0ec53 146868->146866 146868->146867 146873 b0ef66 146875 b0f014 146873->146875 146876 b0f03e 146873->146876 146874->146868 146883 b0ed23 146874->146883 147086 b01d90 15 API calls 146874->147086 147087 b01de0 20 API calls 146874->147087 147092 b64870 15 API calls 146875->147092 147093 b64870 15 API calls 146876->147093 146880 b0f2a5 146885 b0f352 146880->146885 146886 b0f37c 146880->146886 146881 b0f698 std::runtime_error::runtime_error _strlen 146884 b0f6f6 InternetOpenUrlA 146881->146884 146883->146856 146883->146873 147090 b01d90 15 API calls 146883->147090 147091 b01de0 20 API calls 146883->147091 146887 b0f782 InternetReadFile 146884->146887 146888 b0f734 FreeLibrary 146884->146888 147096 b64870 15 API calls 146885->147096 147097 b64870 15 API calls 146886->147097 146892 b0f7b2 146887->146892 146893 b0f7bb FreeLibrary 146887->146893 146900 b0f75f 146888->146900 146892->146887 146892->146893 146901 b14c60 std::ios_base::failure::failure 41 API calls 146892->146901 146908 b0f82a std::ios_base::failure::failure 146893->146908 146896 b0f5c9 146898 b0f6a0 146896->146898 146899 b0f676 146896->146899 146897->146880 146905 b0f374 146897->146905 147094 b01d90 15 API calls 146897->147094 147095 b01de0 20 API calls 146897->147095 147101 b64870 15 API calls 146898->147101 147100 b64870 15 API calls 146899->147100 147102 b04120 39 API calls task 146900->147102 146901->146892 146905->146881 146905->146896 147098 b01d90 15 API calls 146905->147098 147099 b01de0 20 API calls 146905->147099 147103 b04120 39 API calls task 146908->147103 146910->146506 146911->146506 146912->146496 146913->146496 146914->146518 146915->146518 146916->146524 146917->146524 146918->146524 146919->146524 146920->146507 146921->146507 146922->146538 146923->146538 146924->146537 146925->146537 146926->146537 146927->146537 146928->146548 146929->146548 146930->146548 146931->146548 146932->146543 146933->146543 146934->146543 146935->146543 146936->146554 146937->146554 146938->146554 146939->146554 146940->146580 146941->146580 146942->146580 146943->146580 146944->146541 146945->146541 146946->146541 146947->146541 146948->146587 146949->146587 146950->146587 146951->146587 146952->146600 146953->146600 146954->146600 146955->146600 146956->146606 146957->146606 146958->146606 146959->146606 146960->146578 146961->146578 146962->146616 146963->146616 146964->146627 146965->146627 146966->146627 146967->146627 146968->146636 146969->146636 146970->146636 146971->146636 146972->146644 146973->146644 146974->146644 146975->146644 146976->146653 146977->146653 146978->146653 146979->146653 146980->146656 146981->146656 146982->146656 146983->146656 146984->146631 146985->146631 146986->146669 146987->146669 146988->146676 146989->146676 146990->146676 146991->146676 146992->146687 146993->146687 146994->146687 146995->146687 146996->146694 146997->146694 146998->146694 146999->146694 147000->146701 147001->146701 147002->146701 147003->146701 147004->146710 147005->146710 147006->146710 147007->146710 147008->146723 147009->146723 147010->146723 147011->146723 147012->146727 147013->146727 147014->146727 147015->146727 147016->146730 147017->146730 147018->146730 147019->146730 147020->146705 147021->146705 147022->146742 147023->146742 147024->146752 147025->146752 147026->146752 147027->146752 147028->146763 147029->146763 147030->146763 147031->146763 147032->146769 147033->146769 147034->146769 147035->146769 147036->146772 147037->146772 147038->146772 147039->146772 147040->146734 147041->146734 147042->146785 147043->146785 147044->146792 147045->146792 147046->146792 147047->146792 147048->146803 147049->146803 147050->146803 147051->146803 147052->146809 147053->146809 147054->146809 147055->146809 147056->146812 147057->146812 147058->146812 147059->146812 147060->146824 147061->146824 147062->146824 147063->146824 147064->146837 147065->146837 147066->146837 147067->146837 147068->146845 147069->146845 147070->146845 147071->146845 147072->146852 147073->146852 147074->146852 147075->146852 147076->146859 147077->146859 147078->146859 147079->146859 147080->146864 147081->146864 147082->146864 147083->146864 147084->146834 147085->146834 147086->146874 147087->146874 147088->146883 147089->146883 147090->146883 147091->146883 147092->146856 147093->146856 147094->146897 147095->146897 147096->146905 147097->146905 147098->146905 147099->146905 147100->146881 147101->146881 147102->146498 147103->146498 147104 b5fe5f 147105 b5fe68 147104->147105 147112 b6013c IsProcessorFeaturePresent 147105->147112 147107 b5fe74 147113 b62f0e 10 API calls 2 library calls 147107->147113 147109 b5fe79 147110 b5fe7d 147109->147110 147114 b62f2d 7 API calls 2 library calls 147109->147114 147112->147107 147113->147109 147114->147110

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 00B05B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                          • Opcode ID: 774f8172f7039a83656fb9be5c8496fbc8a087263439cbda75eaf9e349d7b014
                                                                                                                                                                                                                          • Instruction ID: 61a8a225e110226d0d5315d2ceaddb01b643ca66997fda0470c37f9e2088b2b4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 774f8172f7039a83656fb9be5c8496fbc8a087263439cbda75eaf9e349d7b014
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0142871D04A2DCACB65DF24CC916AEBBB5FF46344F1086D9E40A7A281EB319AD1CF41
                                                                                                                                                                                                                          Function 03954BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 2537 3954ba2-3954bb2 2538 3954e23-3954e26 2537->2538 2539 3954bb8-3954beb call 39546d4 2537->2539 2542 3954bf1-3954c00 call 39546d4 2539->2542 2543 3954e22 2539->2543 2542->2543 2546 3954c06-3954c5f KiUserCallbackDispatcher GetSystemMetrics call 3953576 * 4 GetDC 2542->2546 2543->2538 2555 3954c65-3954c72 GetCurrentObject 2546->2555 2556 3954e20-3954e21 2546->2556 2557 3954e17-3954e1a ReleaseDC 2555->2557 2558 3954c78-3954c89 GetObjectW 2555->2558 2556->2543 2557->2556 2558->2557 2559 3954c8f-3954d1e call 39535db DeleteObject CreateCompatibleDC 2558->2559 2559->2557 2562 3954d24-3954d3f CreateDIBSection 2559->2562 2563 3954d45-3954d4f SelectObject 2562->2563 2564 3954e10-3954e11 DeleteDC 2562->2564 2565 3954d55-3954d74 BitBlt 2563->2565 2566 3954e09-3954e0a DeleteObject 2563->2566 2564->2557 2565->2566 2567 3954d7a-3954d8c call 3953508 2565->2567 2566->2564 2567->2566 2570 3954d8e-3954df9 call 395354b * 3 call 3953d76 2567->2570 2578 3954dfe-3954e04 call 3953536 2570->2578 2578->2566
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 039546D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03954812), ref: 039546E6
                                                                                                                                                                                                                            • Part of subcall function 039546D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03954812), ref: 039546F3
                                                                                                                                                                                                                          • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 03954C13
                                                                                                                                                                                                                          • GetSystemMetrics.USER32(0000004D), ref: 03954C1A
                                                                                                                                                                                                                          • GetDC.USER32(00000000), ref: 03954C55
                                                                                                                                                                                                                          • GetCurrentObject.GDI32(00000000,00000007), ref: 03954C68
                                                                                                                                                                                                                          • GetObjectW.GDI32(00000000,00000018,?), ref: 03954C81
                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 03954CB3
                                                                                                                                                                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 03954D14
                                                                                                                                                                                                                          • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 03954D35
                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 03954D47
                                                                                                                                                                                                                          • BitBlt.GDI32(00000000,00000000,00000000,?,03952468,00000000,?,?,00CC0020), ref: 03954D6C
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                            • Part of subcall function 03953D76: EnterCriticalSection.KERNEL32(039584D4,00000000,00000000,00000000,?,?,?,?,?,03953EEB,00000000,00000000,00000000,00000000,00000000), ref: 03953D88
                                                                                                                                                                                                                            • Part of subcall function 03953536: GetProcessHeap.KERNEL32(00000000,00000000,0395518A), ref: 0395353D
                                                                                                                                                                                                                            • Part of subcall function 03953536: RtlFreeHeap.NTDLL(00000000), ref: 03953544
                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 03954E0A
                                                                                                                                                                                                                          • DeleteDC.GDI32(00000000), ref: 03954E11
                                                                                                                                                                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 03954E1A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                                                                                                                                                                                          • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                                                                                                                                                                                                          • API String ID: 1387450592-1028866296
                                                                                                                                                                                                                          • Opcode ID: 10ababf5db9d970da31ce92e56abba45f9f4e3a0970a4ff634cc5f3fe2b9fb22
                                                                                                                                                                                                                          • Instruction ID: 1210c64a8a1f6553a1c54aa4f8a9bb8dba55a8e58e0c10f922838311de20b2d5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10ababf5db9d970da31ce92e56abba45f9f4e3a0970a4ff634cc5f3fe2b9fb22
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F71B076E44308ABDB21DFA4DC45BEEBBB8EF44740F144059F905BB280DB709A85CB55
                                                                                                                                                                                                                          Function 03951000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 2580 3951000-3951018 2581 3951412-3951418 2580->2581 2582 395101e-3951028 2580->2582 2582->2581 2583 395102e-3951037 call 395407d 2582->2583 2583->2581 2586 395103d-3951059 call 3953508 * 2 2583->2586 2591 3951404-395140d call 3953536 * 2 2586->2591 2592 395105f-3951061 2586->2592 2591->2581 2592->2591 2593 3951067-395116d call 3953600 FindFirstFileW 2592->2593 2599 39513d5-3951401 call 3953576 * 3 2593->2599 2600 3951173-3951192 call 395363b * 2 2593->2600 2599->2591 2609 3951198-39511b7 call 3953600 2600->2609 2610 39513ba 2600->2610 2616 39511bd-39511cf call 395372b 2609->2616 2617 3951769-3951770 2609->2617 2613 39513bd-39513cf FindNextFileW 2610->2613 2613->2599 2613->2600 2616->2617 2622 39511d5-39511e7 call 395372b 2616->2622 2617->2610 2619 3951776-3951794 call 395363b call 3953b60 2617->2619 2629 3951796-39517e3 call 3953508 call 3953600 call 3953eb6 2619->2629 2630 39517eb-39517f0 2619->2630 2622->2617 2628 39511ed-395120f call 395363b call 3953b60 2622->2628 2649 3951215-395121b 2628->2649 2650 395171e-3951749 call 39540ba 2628->2650 2629->2630 2631 39517f6-39517fb 2630->2631 2632 395199b-39519d2 call 3953600 call 3953eb6 2630->2632 2631->2632 2636 3951801-3951806 2631->2636 2647 39519d7-39519da 2632->2647 2636->2632 2640 395180c-3951811 2636->2640 2640->2632 2644 3951817-395181c 2640->2644 2644->2632 2648 3951822-3951827 2644->2648 2647->2613 2648->2632 2652 395182d-3951832 2648->2652 2649->2650 2654 3951221-3951227 2649->2654 2661 395152d-3951534 call 3953536 2650->2661 2662 395174f-395175a call 395372b 2650->2662 2652->2632 2657 3951838-395183d 2652->2657 2654->2650 2656 395122d-3951233 2654->2656 2656->2650 2659 3951239-395123f 2656->2659 2657->2632 2660 3951843-3951848 2657->2660 2659->2650 2663 3951245-395124b 2659->2663 2660->2632 2664 395184e-3951853 2660->2664 2661->2610 2662->2661 2671 3951760-3951762 2662->2671 2663->2650 2668 3951251-3951257 2663->2668 2664->2632 2669 3951859-395185e 2664->2669 2668->2650 2672 395125d-3951263 2668->2672 2669->2610 2673 3951864-3951878 call 395446c 2669->2673 2671->2617 2672->2650 2674 3951269-395126f 2672->2674 2679 39514b4-39514be call 3953536 2673->2679 2680 395187e-3951883 2673->2680 2674->2650 2676 3951275-395127b 2674->2676 2676->2650 2678 3951281-3951287 2676->2678 2678->2650 2682 395128d-3951293 2678->2682 2679->2610 2680->2679 2681 3951889-39518a1 call 39536f1 2680->2681 2681->2679 2689 39518a7-39518bf call 39536f1 2681->2689 2682->2650 2686 3951299-395129f 2682->2686 2686->2650 2688 39512a5-39512ab 2686->2688 2688->2650 2690 39512b1-39512b7 2688->2690 2689->2679 2695 39518c5-39518db call 395369c 2689->2695 2690->2650 2692 39512bd-39512c3 2690->2692 2692->2650 2694 39512c9-39512cf 2692->2694 2694->2650 2696 39512d5-39512db 2694->2696 2695->2679 2702 39518e1-39518ed call 3953625 2695->2702 2696->2650 2698 39512e1-39512e7 2696->2698 2698->2650 2699 39512ed-39512f3 2698->2699 2699->2650 2701 39512f9-39512ff 2699->2701 2701->2650 2703 3951305-395130b 2701->2703 2708 39518f3-3951906 call 3951a62 2702->2708 2709 39514ad-39514af call 3953536 2702->2709 2703->2650 2705 3951311-3951317 2703->2705 2705->2650 2707 395131d-3951323 2705->2707 2707->2650 2710 3951329-395132f 2707->2710 2708->2709 2716 395190c-3951911 2708->2716 2709->2679 2710->2650 2713 3951335-395133b 2710->2713 2713->2650 2715 3951341-3951347 2713->2715 2718 395134d-3951353 2715->2718 2719 395168c-39516c1 call 39540ba 2715->2719 2716->2709 2717 3951917-3951929 call 3951c94 2716->2717 2726 395198e-3951996 call 3953536 2717->2726 2727 395192b-3951974 call 3951ba5 call 3953600 call 3953d76 2717->2727 2718->2719 2722 3951359-395135f 2718->2722 2719->2679 2728 39516c7-39516d2 call 395372b 2719->2728 2722->2719 2725 3951365-395136b 2722->2725 2729 3951371-3951377 2725->2729 2730 3951662-3951687 EnterCriticalSection call 3954e27 LeaveCriticalSection 2725->2730 2726->2709 2764 3951979-395198b call 3953536 * 2 2727->2764 2728->2679 2743 39516d8-3951719 call 3953efc 2728->2743 2729->2730 2734 395137d-3951383 2729->2734 2730->2610 2740 3951419-395141f 2734->2740 2741 3951389-39513b4 call 3953efc 2734->2741 2745 3951425-3951447 call 39540ba 2740->2745 2746 39514c3-39514c9 2740->2746 2741->2610 2743->2679 2745->2679 2760 3951449-3951454 call 395372b 2745->2760 2748 3951539-395153f 2746->2748 2749 39514cb-39514ed call 39540ba 2746->2749 2753 3951576-395157c 2748->2753 2754 3951541-3951563 call 39540ba 2748->2754 2749->2661 2767 39514ef-39514fa call 395372b 2749->2767 2762 3951582-3951588 2753->2762 2763 395165b 2753->2763 2754->2661 2770 3951565-3951570 call 395372b 2754->2770 2760->2679 2777 3951456-39514a7 call 3953508 call 3953600 call 3953eb6 2760->2777 2762->2763 2768 395158e-3951594 2762->2768 2763->2730 2764->2726 2767->2661 2785 39514fc 2767->2785 2773 3951596-395159d 2768->2773 2774 39515a9-39515af 2768->2774 2770->2661 2788 3951572-3951574 2770->2788 2773->2774 2780 39515b1-39515b7 2774->2780 2781 39515e3-395160b call 39540ba 2774->2781 2777->2709 2780->2781 2787 39515b9-39515bf 2780->2787 2781->2661 2794 3951611-395161c call 395372b 2781->2794 2791 39514fe-3951527 call 3953efc 2785->2791 2787->2781 2792 39515c1-39515c7 2787->2792 2788->2791 2791->2661 2792->2781 2793 39515c9-39515cf 2792->2793 2793->2781 2797 39515d1-39515d8 call 3951000 2793->2797 2794->2661 2805 3951622-3951656 call 3953efc 2794->2805 2804 39515dd-39515de 2797->2804 2804->2610 2805->2661
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?), ref: 039513C7
                                                                                                                                                                                                                            • Part of subcall function 0395407D: GetFileAttributesW.KERNELBASE(03955051,0395447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03953ECC), ref: 0395407E
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(00000000,?,0125DB08,?), ref: 03951161
                                                                                                                                                                                                                            • Part of subcall function 03953EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03953F5D
                                                                                                                                                                                                                            • Part of subcall function 03953EFC: FindNextFileW.KERNEL32(03951710,?), ref: 03953FFE
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 03951668
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4), ref: 03951681
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                                                                                                                                                                                          • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                                                                                                                                                                                                                          • API String ID: 1893179121-1537637304
                                                                                                                                                                                                                          • Opcode ID: bb8e16c1f88e2ff56773437a68a62ad298719d5a4b7eb8e1e841f383c4299442
                                                                                                                                                                                                                          • Instruction ID: 5fe264b0cd56e22f5ac44a4fb001e817b69237805972fd971b00da7a8fff1e1b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8e16c1f88e2ff56773437a68a62ad298719d5a4b7eb8e1e841f383c4299442
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F32E776E053145BDF25EFA89890BFDB3B99F84290F18405AFC05AB290EB748EC5C791
                                                                                                                                                                                                                          Function 03952054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 2857 3952054-39520a5 call 3953508 2860 39520a7-39520c6 2857->2860 2861 3952103-3952115 GetCurrentHwProfileA 2857->2861 2864 39520ce-39520d4 2860->2864 2865 39520c8-39520cc 2860->2865 2862 3952117-395212a call 39535db 2861->2862 2863 395212d-395219e GetSystemInfo call 39535db call 3953536 GlobalMemoryStatusEx call 39535db 2861->2863 2862->2863 2881 39521db-39521ec EnumDisplayDevicesA 2863->2881 2869 39520d6-39520dd 2864->2869 2870 39520df-39520e5 2864->2870 2868 39520ee-39520f9 call 395354b 2865->2868 2874 39520fc-3952101 2868->2874 2869->2868 2873 39520e7-39520eb 2870->2873 2870->2874 2873->2868 2874->2860 2874->2861 2882 39521a0-39521a9 2881->2882 2883 39521ee-39521f4 2881->2883 2884 39521ab-39521c7 call 39535db 2882->2884 2885 39521ca-39521da 2882->2885 2884->2885 2885->2881
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • GetCurrentHwProfileA.ADVAPI32(?), ref: 0395210B
                                                                                                                                                                                                                          • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 03952132
                                                                                                                                                                                                                          • GlobalMemoryStatusEx.KERNELBASE(?), ref: 03952166
                                                                                                                                                                                                                          • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 039521E8
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                                                                                                                                                                                                          • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                                                                                                                                                                                                          • API String ID: 330852582-565344305
                                                                                                                                                                                                                          • Opcode ID: 9836a6782f1fb98833a9edbead18f93defaf288b959abd17a416e31602ded897
                                                                                                                                                                                                                          • Instruction ID: f12cb854aa8f21c340c6ba271ce34397bb4a2602950c9d771e9e315224166367
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9836a6782f1fb98833a9edbead18f93defaf288b959abd17a416e31602ded897
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0A4190726083059BD725DF64C881BABB7E9EBC4350F04492DFD899B241E770DA85CBA2
                                                                                                                                                                                                                          Function 03954E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 2888 3954e27-3954e47 2889 3954e49-3954e8c call 3953600 call 395407d 2888->2889 2890 3954e98-3954ed9 call 3953508 * 2 call 3953600 FindFirstFileW 2888->2890 2900 3954e92 2889->2900 2901 3955198-395519e 2889->2901 2903 3955183-3955192 call 3953536 * 2 2890->2903 2904 3954edf-3954ef9 call 3953600 2890->2904 2900->2890 2903->2901 2910 3954fb1-3954fc7 call 395363b 2904->2910 2911 3954eff-3954f06 2904->2911 2914 395516b-395517d FindNextFileW 2910->2914 2919 3954fcd-39550ab call 3953600 call 3953eb6 call 395363b call 3953600 call 395407d 2910->2919 2913 3954f0c-3954f1e call 395372b 2911->2913 2911->2914 2913->2914 2921 3954f24-3954f36 call 395372b 2913->2921 2914->2903 2914->2904 2919->2914 2943 39550b1-3955165 call 395363b call 3953600 call 3953eb6 2919->2943 2921->2914 2927 3954f3c-3954f5b call 395363b call 3953b60 2921->2927 2936 3954f84-3954fac EnterCriticalSection call 3954e27 LeaveCriticalSection 2927->2936 2937 3954f5d-3954f62 2927->2937 2936->2914 2937->2936 2939 3954f64-3954f6b 2937->2939 2939->2914 2942 3954f71-3954f79 call 3954e27 2939->2942 2947 3954f7e-3954f7f 2942->2947 2949 395516a 2943->2949 2947->2949 2949->2914
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000), ref: 03954ECD
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 03954F89
                                                                                                                                                                                                                            • Part of subcall function 03954E27: LeaveCriticalSection.KERNEL32(039584D4), ref: 03954FA6
                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(?,?), ref: 03955175
                                                                                                                                                                                                                            • Part of subcall function 0395407D: GetFileAttributesW.KERNELBASE(03955051,0395447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03953ECC), ref: 0395407E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                                                                                                                                                                                          • String ID: %s\%s$%s\*$Telegram
                                                                                                                                                                                                                          • API String ID: 648860119-4994844
                                                                                                                                                                                                                          • Opcode ID: eb0c5b90e07d0d64543a8e8a3e6ea41aa1bf1368111ed842756da08e2a8932bc
                                                                                                                                                                                                                          • Instruction ID: 1bd5d18ec655dbb5cec2b5b88450854ae7f1073866aeabe5b9af6881be1b01b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eb0c5b90e07d0d64543a8e8a3e6ea41aa1bf1368111ed842756da08e2a8932bc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BA1A729A15308A9EF10EBA0EC46BFEB775EF84750F10505AFD04EF2A0E7B14AC58759
                                                                                                                                                                                                                          Function 03951D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5796 3951d3c-3951d4e 5797 3951f25-3951f2a 5796->5797 5798 3951d54-3951d5e 5796->5798 5798->5797 5799 3951d64-3951d8e call 3953600 FindFirstFileW 5798->5799 5799->5797 5802 3951d94-3951dd8 call 3953508 call 395363b 5799->5802 5807 3951ddd-3951e02 call 395363b * 2 5802->5807 5812 3951f01-3951f0f FindNextFileW 5807->5812 5813 3951e08-3951e21 call 3953600 5807->5813 5815 3951f11-3951f17 5812->5815 5816 3951f1c-3951f20 call 3953536 5812->5816 5819 3951e54-3951e59 5813->5819 5820 3951e23-3951e33 call 395372b 5813->5820 5815->5807 5816->5797 5821 3951ef2-3951efd 5819->5821 5822 3951e5f-3951e69 5819->5822 5820->5819 5827 3951e35-3951e45 call 395372b 5820->5827 5821->5812 5822->5821 5824 3951e6f-3951e7c call 395408d 5822->5824 5830 3951e7e-3951e95 call 395363b call 3953b60 5824->5830 5831 3951eeb-3951eed call 3953536 5824->5831 5827->5819 5833 3951e47-3951e4a call 3951d3c 5827->5833 5841 3951e97-3951e9c 5830->5841 5842 3951eac-3951edc call 3953600 call 3953eb6 5830->5842 5831->5821 5838 3951e4f 5833->5838 5838->5821 5841->5842 5844 3951e9e-3951ea3 5841->5844 5848 3951ee1-3951ee4 5842->5848 5844->5842 5846 3951ea5-3951eaa 5844->5846 5846->5831 5846->5842 5848->5831
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileW.KERNELBASE(?), ref: 03951D83
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • FindNextFileW.KERNELBASE(00000000,?), ref: 03951F07
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                                                                                                                                                                                          • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                          • API String ID: 3555643018-2064654797
                                                                                                                                                                                                                          • Opcode ID: ac949eb30a5d00a7fad7129687db746e5050a6527c2b93713efed19d0d5e9b38
                                                                                                                                                                                                                          • Instruction ID: 64e3d460fc9326a888eb4b3b6d8103fcab466167845537777a1ae1f9957ee78d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac949eb30a5d00a7fad7129687db746e5050a6527c2b93713efed19d0d5e9b38
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F641AF796093459BCB14FF24D894B7EB7E8AF84680F04491DFC95CB291EB31CAC98786
                                                                                                                                                                                                                          Function 03951C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5849 3951c94-3951ccf call 39546d4 5852 3951cd1-3951cf8 call 3953576 CryptUnprotectData 5849->5852 5853 3951d2f-3951d3b 5849->5853 5856 3951d05-3951d0a 5852->5856 5857 3951cfa-3951d03 5852->5857 5856->5853 5858 3951d0c-3951d29 CryptProtectData 5856->5858 5857->5853 5858->5853
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 039546D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03954812), ref: 039546E6
                                                                                                                                                                                                                            • Part of subcall function 039546D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03954812), ref: 039546F3
                                                                                                                                                                                                                          • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 03951CF3
                                                                                                                                                                                                                          • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 03951D29
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                                                                                                                                                                                          • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                                                                                                                                                                                          • API String ID: 3642467563-1885057629
                                                                                                                                                                                                                          • Opcode ID: 18adb523a0127ba1ff43f35819ec2dfa5e9016564af0f35a46c0caa8706d5451
                                                                                                                                                                                                                          • Instruction ID: 8ecf8bb33ff46efe9e35272a68698ac04f17d3e15191e69015d6e513412078ed
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18adb523a0127ba1ff43f35819ec2dfa5e9016564af0f35a46c0caa8706d5451
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4115CB6D0020CABCF10DF95C880DEEFBBDEB48250F14456AE915B7240E770AE49CBA0
                                                                                                                                                                                                                          Function 039521F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 39521f5-3952212 InitializeCriticalSectionAndSpinCount 1 3952214 0->1 2 3952219-395222f CreateMutexA 0->2 3 3952680 1->3 4 3952235-3952240 GetLastError 2->4 5 3952678-395267a ExitProcess 2->5 4->5 6 3952246-3952255 call 3953bd2 4->6 9 395264f-395266f DeleteCriticalSection 6->9 10 395225b-3952285 call 3953576 call 39547e6 6->10 9->5 15 3952647-395264a call 3953536 10->15 16 395228b-39522d0 call 39535db call 395484b 10->16 15->9 16->15 22 39522d6-395230a call 3953508 * 3 16->22 29 3952310-3952317 22->29 30 39525df-395262e call 3953d76 call 3953536 * 4 call 3953bfb 22->30 29->30 32 395231d-3952324 29->32 59 3952631-3952637 call 395536d 30->59 32->30 34 395232a-3952366 call 39546d4 32->34 34->30 39 395236c-3952381 call 3951f2d 34->39 45 39523c1-39523db 39->45 46 3952383-39523ba call 39546d4 39->46 54 39523e5-3952410 call 395363b 45->54 55 39523dd-39523df ExitProcess 45->55 46->45 53 39523bc 46->53 53->3 64 3952412-3952414 ExitProcess 54->64 65 395241a-3952445 call 395363b 54->65 63 395263c-3952643 59->63 63->15 66 3952645 63->66 70 3952447-3952449 ExitProcess 65->70 71 395244f-39524bd call 395363b call 3954ba2 CreateThread * 2 WaitForMultipleObjects call 39519df call 3952054 65->71 66->59 80 39524c7-39524ce 71->80 81 3952501-395251d ObtainUserAgentString 80->81 82 39524d0-39524d9 80->82 85 3952535-39525a0 call 3955239 * 6 call 3953508 81->85 86 395251f-3952532 call 39535db 81->86 83 39524ff 82->83 84 39524db-39524f5 82->84 83->80 84->83 104 39525b2-39525da call 395363b call 3955239 * 2 call 3953536 85->104 105 39525a2-39525ac GetModuleFileNameW 85->105 86->85 104->30 105->104
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitializeCriticalSectionAndSpinCount.KERNEL32(039584D4,00000DA3), ref: 0395220A
                                                                                                                                                                                                                          • CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 03952222
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 03952235
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                                                                                                                                                                                          • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
                                                                                                                                                                                                                          • API String ID: 2005177960-3436640841
                                                                                                                                                                                                                          • Opcode ID: 56d9164251e84da86e7f0cf966a9fa56ce8087881888529cb3c1999426e4b2d0
                                                                                                                                                                                                                          • Instruction ID: ddf98d5c332e07dd25d40eb3589ac51a1d410968d9a77038ef3595e7cdf8bf81
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56d9164251e84da86e7f0cf966a9fa56ce8087881888529cb3c1999426e4b2d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBC1D235A08348AAEB11FFA0EC49BED7BB5AF85701F040459FE45AE2D1DB714AC5CB21
                                                                                                                                                                                                                          Function 0395446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0395407D: GetFileAttributesW.KERNELBASE(03955051,0395447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03953ECC), ref: 0395407E
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 039544F5
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4), ref: 03954541
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 039545C4
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4), ref: 039545FD
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 0395463A
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4), ref: 0395467D
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4), ref: 03954696
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4), ref: 039546BF
                                                                                                                                                                                                                            • Part of subcall function 039542EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,03954574), ref: 03954305
                                                                                                                                                                                                                            • Part of subcall function 039542EC: GetProcAddress.KERNEL32(00000000), ref: 0395430E
                                                                                                                                                                                                                            • Part of subcall function 039542EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03954574), ref: 0395431F
                                                                                                                                                                                                                            • Part of subcall function 039542EC: GetProcAddress.KERNEL32(00000000), ref: 03954322
                                                                                                                                                                                                                            • Part of subcall function 039542EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03954574), ref: 039543A4
                                                                                                                                                                                                                            • Part of subcall function 039542EC: GetCurrentProcess.KERNEL32(03954574,00000000,00000000,00000002,?,?,?,?,03954574), ref: 039543C0
                                                                                                                                                                                                                            • Part of subcall function 039542EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03954574), ref: 039543CF
                                                                                                                                                                                                                            • Part of subcall function 039542EC: CloseHandle.KERNEL32(03954574,?,?,?,?,03954574), ref: 039543FF
                                                                                                                                                                                                                            • Part of subcall function 03953536: GetProcessHeap.KERNEL32(00000000,00000000,0395518A), ref: 0395353D
                                                                                                                                                                                                                            • Part of subcall function 03953536: RtlFreeHeap.NTDLL(00000000), ref: 03953544
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                                                                                                                                                                                                          • String ID: @$\??\%s$\Network\Cookies
                                                                                                                                                                                                                          • API String ID: 330363434-2791195959
                                                                                                                                                                                                                          • Opcode ID: 187cad080726269c1ff22075bf1dea7e108bb0f7364f6971c4c3dfa8d95ecc89
                                                                                                                                                                                                                          • Instruction ID: 0d9241a45515a6a9f15f5cc6ad88bfd45994f50b8cc0e95c3f65bc096ee4dd2e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 187cad080726269c1ff22075bf1dea7e108bb0f7364f6971c4c3dfa8d95ecc89
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1714A75A45308AFEB44EFA0D849BEDBBB5FB44305F108015F901AE1D1DBB19AC6CB40
                                                                                                                                                                                                                          Function 0395536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networkCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 2953 395536d-39553f6 call 39546d4 2956 39553ff-3955457 2953->2956 2957 39553f8-39553fa 2953->2957 2960 395545d-395548b call 3955361 socket 2956->2960 2961 395553b 2956->2961 2958 395553e-3955541 2957->2958 2964 3955531-3955534 2960->2964 2965 3955491-39554a8 call 39552cf call 3953576 2960->2965 2961->2958 2964->2961 2970 39554a9-39554af 2965->2970 2971 3955524-395552a 2970->2971 2972 39554b1-39554c6 connect 2970->2972 2971->2964 2973 3955517-3955522 Sleep 2972->2973 2974 39554c8-39554e8 send 2972->2974 2973->2970 2974->2973 2975 39554ea-3955504 send 2974->2975 2975->2973 2976 3955506-3955515 call 3953536 2975->2976 2976->2971
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 039546D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03954812), ref: 039546E6
                                                                                                                                                                                                                            • Part of subcall function 039546D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03954812), ref: 039546F3
                                                                                                                                                                                                                          • socket.WS2_32(?,00000001,00000000), ref: 03955480
                                                                                                                                                                                                                          • connect.WS2_32(000000FF,?,00000010), ref: 039554BF
                                                                                                                                                                                                                          • send.WS2_32(000000FF,00000000,00000000), ref: 039554E1
                                                                                                                                                                                                                          • send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 039554FD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: send$HandleLibraryLoadModuleconnectsocket
                                                                                                                                                                                                                          • String ID: 146.70.169.164$ws2_32.dll
                                                                                                                                                                                                                          • API String ID: 2781119014-4085977579
                                                                                                                                                                                                                          • Opcode ID: 80d0bcaaece3839958009f2467f60f34958ad7b868983d41641659e5770b8649
                                                                                                                                                                                                                          • Instruction ID: 43a33b6f295c8b81453385f5dec7e907ed23e3dce36bc9df8182da9b77c58bae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 80d0bcaaece3839958009f2467f60f34958ad7b868983d41641659e5770b8649
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8851A631D08289EEEB12CBE8D8097EDBFB89F16314F144599E951AE1C2C3B54786CB61
                                                                                                                                                                                                                          Function 00B0F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                          • Opcode ID: 915b5c3b5aedb868d7d7a0d60acd46e1eafac67fa7c0708e82e2132fbb9fde76
                                                                                                                                                                                                                          • Instruction ID: 32778d4870c5c5f6d12521e51214cbd80ae15e2a0ebc7b2db31e950d26fee74d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 915b5c3b5aedb868d7d7a0d60acd46e1eafac67fa7c0708e82e2132fbb9fde76
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD632370C04A1CCACB26DF68D9916EEF7B5FF56344F1086D9E40A3A241EB31AAD19F41
                                                                                                                                                                                                                          Function 00B13FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 3853 b13fe0-b14015 3855 b142a1-b142b9 3853->3855 3856 b1401b-b14022 3853->3856 3859 b14554-b1456c 3855->3859 3860 b142bf-b142c9 3855->3860 3858 b1402d-b14033 3856->3858 3861 b140e4-b140eb 3858->3861 3862 b14039-b14050 3858->3862 3869 b14572-b14579 3859->3869 3870 b147f8-b14810 3859->3870 3863 b142da-b142e3 3860->3863 3866 b140f6-b140fc 3861->3866 3865 b1405b-b14061 3862->3865 3871 b14397-b1439e 3863->3871 3872 b142e9-b14300 3863->3872 3873 b14063-b140cb call b01dc0 call b01cc0 3865->3873 3874 b140cd-b140df 3865->3874 3867 b141c0-b141c7 3866->3867 3868 b14102-b14109 3866->3868 3879 b141d2-b141d8 3867->3879 3875 b14114-b1411a 3868->3875 3876 b14584-b1458a 3869->3876 3891 b14a36-b14a3d 3870->3891 3892 b14816-b1481d 3870->3892 3882 b143a9-b143af 3871->3882 3878 b1430b-b14311 3872->3878 3873->3865 3874->3858 3885 b14120-b141b6 call b01d90 call b01de0 call b01d10 3875->3885 3886 b141bb 3875->3886 3887 b14590-b145a7 3876->3887 3888 b1463b-b14642 3876->3888 3889 b14380-b14392 3878->3889 3890 b14313-b1437e call b01dc0 call b01cc0 3878->3890 3893 b14236-b1423f 3879->3893 3894 b141da-b141e1 3879->3894 3883 b14473-b1447a 3882->3883 3884 b143b5-b143bc 3882->3884 3900 b14485-b1448b 3883->3900 3896 b143c7-b143cd 3884->3896 3885->3875 3886->3866 3904 b145b2-b145b8 3887->3904 3901 b1464d-b14653 3888->3901 3889->3863 3890->3878 3907 b14a43-b14ba4 call b04c60 call b045b0 call b04a60 call b04550 GetModuleHandleA GetProcAddress call b04e20 call b04670 call b04ff0 call b04670 call b051b0 call b04670 call b05370 call b04690 call b05530 call b04690 call b05610 call b046b0 call b056f0 call b046b0 call b60910 VirtualProtect * 2 call b60910 VirtualProtect 3891->3907 3908 b14bae-b14bb1 3891->3908 3905 b14828-b1482e 3892->3905 3898 b14241-b14245 3893->3898 3899 b14246-b14248 3893->3899 3910 b141ec-b141f2 3894->3910 3913 b143d3-b14469 call b01d90 call b01de0 call b01d10 3896->3913 3914 b1446e 3896->3914 3898->3899 3916 b14274-b14299 call b64870 3899->3916 3917 b1424a-b14272 call b64870 3899->3917 3918 b144e9-b144f2 3900->3918 3919 b1448d-b14494 3900->3919 3921 b14717-b1471e 3901->3921 3922 b14659-b14660 3901->3922 3924 b14624-b14636 3904->3924 3925 b145ba-b14622 call b01dc0 call b01cc0 3904->3925 3926 b14834-b1484b 3905->3926 3927 b148df-b148e6 3905->3927 3907->3908 3911 b14234 3910->3911 3912 b141f4-b14232 call b01e00 3910->3912 3911->3879 3912->3910 3913->3896 3914->3882 3976 b1429c 3916->3976 3917->3976 3942 b144f4-b144f8 3918->3942 3943 b144f9-b144fb 3918->3943 3938 b1449f-b144a5 3919->3938 3947 b14729-b1472f 3921->3947 3940 b1466b-b14671 3922->3940 3924->3876 3925->3904 3945 b14856-b1485c 3926->3945 3929 b148f1-b148f7 3927->3929 3950 b149bb-b149c2 3929->3950 3951 b148fd-b14904 3929->3951 3957 b144e7 3938->3957 3958 b144a7-b144e5 call b01e00 3938->3958 3959 b14712 3940->3959 3960 b14677-b1470d call b01d90 call b01de0 call b01d10 3940->3960 3942->3943 3963 b14527-b1454c call b64870 3943->3963 3964 b144fd-b14525 call b64870 3943->3964 3965 b148c8-b148da 3945->3965 3966 b1485e-b148c6 call b01dc0 call b01cc0 3945->3966 3948 b14731-b14738 3947->3948 3949 b1478d-b14796 3947->3949 3969 b14743-b14749 3948->3969 3973 b14798-b1479c 3949->3973 3974 b1479d-b1479f 3949->3974 3977 b149cd-b149d3 3950->3977 3970 b1490f-b14915 3951->3970 3957->3900 3958->3938 3959->3901 3960->3940 4018 b1454f 3963->4018 3964->4018 3965->3905 3966->3945 3989 b1478b 3969->3989 3990 b1474b-b14789 call b01e00 3969->3990 3991 b149b6 3970->3991 3992 b1491b-b149b1 call b01d90 call b01de0 call b01d10 3970->3992 3973->3974 3994 b147a1-b147c9 call b64870 3974->3994 3995 b147cb-b147f0 call b64870 3974->3995 3976->3855 3996 b14a31 3977->3996 3997 b149d5-b149dc 3977->3997 3989->3947 3990->3969 3991->3929 3992->3970 4035 b147f3 3994->4035 3995->4035 3996->3891 4013 b149e7-b149ed 3997->4013 4027 b14a2f 4013->4027 4028 b149ef-b14a2d call b01e00 4013->4028 4018->3859 4027->3977 4028->4013 4035->3870
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                          • Opcode ID: 53e270ec0a0397a4b3b96f19ede937faa645044f13fd83d745685422895ad34e
                                                                                                                                                                                                                          • Instruction ID: 1e0672645b4e0db2492430840c4f039a6861b6305f6e7520a518efb6111f0a82
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53e270ec0a0397a4b3b96f19ede937faa645044f13fd83d745685422895ad34e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B1722670C00A18CACB15DFA8D8916EEFBB5FF56344F5082D9E41A7B281EB319AD5CB41
                                                                                                                                                                                                                          Function 00B159F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                          • Opcode ID: 74a347a7bbedac585a1bad9f3505b5b93ac8279d4373f93fcf68a89a05cdd2be
                                                                                                                                                                                                                          • Instruction ID: bf2920bfd2f6a7469009ea42fd243ff0a153b0d89a29c07bcdf215771d11e956
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74a347a7bbedac585a1bad9f3505b5b93ac8279d4373f93fcf68a89a05cdd2be
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6D32571C04A18CACB26DF68C9916EEF7B5FF56344F5082DAE40A3A241DB31AAD1DF41
                                                                                                                                                                                                                          Function 0395484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5731 395484b-395485a 5732 3954b90 5731->5732 5733 3954860-3954879 VirtualAlloc 5731->5733 5734 3954b96-3954b99 5732->5734 5733->5732 5735 395487f-39548a3 call 39546d4 5733->5735 5736 3954b9c-3954ba1 5734->5736 5739 3954b8c-3954b8e 5735->5739 5740 39548a9-39548be call 395354b 5735->5740 5739->5736 5743 39548c0-39548c7 5740->5743 5744 39548d2-39548d5 5743->5744 5745 39548c9-39548ce 5743->5745 5747 39548d9-3954900 GetCurrentProcess IsWow64Process call 3955239 5744->5747 5745->5743 5746 39548d0 5745->5746 5746->5747 5750 3954906-395490b 5747->5750 5751 3954990-3954993 5747->5751 5752 395490d-395491d 5750->5752 5753 395492c-3954931 5750->5753 5754 3954995-3954998 5751->5754 5755 39549e0-39549e3 5751->5755 5756 395491f-3954927 5752->5756 5759 3954971-3954974 5753->5759 5760 3954933-3954938 5753->5760 5761 39549b8-39549bc 5754->5761 5762 395499a-39549b6 5754->5762 5757 3954a8e-3954a94 5755->5757 5758 39549e9-39549ee 5755->5758 5763 3954a32-3954a3f 5756->5763 5770 3954b2f-3954b32 5757->5770 5771 3954a9a-3954aa0 5757->5771 5765 3954a10-3954a12 5758->5765 5766 39549f0-3954a0e 5758->5766 5768 3954976-3954979 5759->5768 5769 395497f-395498e 5759->5769 5760->5752 5767 395493a-395493c 5760->5767 5761->5732 5764 39549c2-39549de 5761->5764 5762->5763 5763->5734 5764->5763 5772 3954a44-3954a47 5765->5772 5773 3954a14-3954a2d 5765->5773 5766->5763 5767->5752 5774 395493e-3954941 5767->5774 5768->5732 5768->5769 5769->5756 5770->5732 5775 3954b34-3954b55 5770->5775 5776 3954ac0-3954ac6 5771->5776 5777 3954aa2-3954abb 5771->5777 5784 3954a67-3954a6a 5772->5784 5785 3954a49-3954a62 5772->5785 5773->5763 5780 3954957-395495a 5774->5780 5781 3954943-3954955 5774->5781 5782 3954b77 5775->5782 5783 3954b57-3954b5d 5775->5783 5778 3954ae6-3954aec 5776->5778 5779 3954ac8-3954ae1 5776->5779 5777->5734 5786 3954b0c-3954b12 5778->5786 5787 3954aee-3954b07 5778->5787 5779->5734 5780->5732 5789 3954960-395496f 5780->5789 5781->5756 5791 3954b7c-3954b83 5782->5791 5783->5782 5788 3954b5f-3954b65 5783->5788 5784->5732 5790 3954a70-3954a89 5784->5790 5785->5734 5786->5775 5792 3954b14-3954b2d 5786->5792 5787->5734 5788->5782 5793 3954b67-3954b6d 5788->5793 5789->5756 5790->5734 5791->5734 5792->5734 5793->5782 5794 3954b6f-3954b75 5793->5794 5794->5782 5795 3954b85-3954b8a 5794->5795 5795->5791
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,039522C4), ref: 0395486C
                                                                                                                                                                                                                            • Part of subcall function 039546D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03954812), ref: 039546E6
                                                                                                                                                                                                                            • Part of subcall function 039546D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03954812), ref: 039546F3
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(039522C4), ref: 039548E0
                                                                                                                                                                                                                          • IsWow64Process.KERNEL32(00000000), ref: 039548E7
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                                                                                                                                                                                          • String ID: l$ntdl
                                                                                                                                                                                                                          • API String ID: 1207166019-924918826
                                                                                                                                                                                                                          • Opcode ID: 1388d17f6c5f13b60ab52eea72f710e224dbd60427db4ebf1f35b3898e5ec91a
                                                                                                                                                                                                                          • Instruction ID: 748c2c28bbb5ee8a7511ffc3bb7002dab9711fbde0c2bf3f0201c6864f7dfe5a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1388d17f6c5f13b60ab52eea72f710e224dbd60427db4ebf1f35b3898e5ec91a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F81903170C3059AEBA4EE55E85AB7D33ACFB00751F14095AFE099F2D4E7B489C48B46
                                                                                                                                                                                                                          Function 00B13052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5859 b13052-b13068 5861 b1306a-b130ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5859->5861 5862 b130ce-b130d1 5859->5862 5861->5862
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(?), ref: 00B1307F
                                                                                                                                                                                                                          • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 00B130A2
                                                                                                                                                                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B130B7
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(?), ref: 00B130C4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2432312608-0
                                                                                                                                                                                                                          • Opcode ID: 6ba41e12b9e8275c6c732021f52bde7cb949d8f0fcab8169cbb0701a23742322
                                                                                                                                                                                                                          • Instruction ID: acb58b72dcaf0760773d806c63da935dac965cc1e9ba5c373e8009d5f8c07e8f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ba41e12b9e8275c6c732021f52bde7cb949d8f0fcab8169cbb0701a23742322
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56011970A803189BDB248F64DC8CBAA77B4FB14715F1006C8EA2D5B2A1DAB16EC0CF50
                                                                                                                                                                                                                          Function 03953508 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                          • LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1367039788-0
                                                                                                                                                                                                                          • Opcode ID: 0acf4077344b9a46b92d4e741184495c367dc0772868059a6daca29591ed423e
                                                                                                                                                                                                                          • Instruction ID: 966bd4f902fa063083369b158298d51c5655a32c51f7856c1e740623f470e503
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0acf4077344b9a46b92d4e741184495c367dc0772868059a6daca29591ed423e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 41D0C73360932067CB507BF9BC0C99BBFECEF95562B05005AF605CB154CAB4CD8587A0
                                                                                                                                                                                                                          Function 039546D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5864 39546d4-39546f0 GetModuleHandleA 5865 3954706-395470e 5864->5865 5866 39546f2-39546fd LoadLibraryA 5864->5866 5868 3954714-395471f 5865->5868 5869 39547dd 5865->5869 5866->5865 5867 39546ff-3954701 5866->5867 5870 39547e0-39547e5 5867->5870 5868->5869 5871 3954725-395472e 5868->5871 5869->5870 5871->5869 5872 3954734-3954739 5871->5872 5872->5869 5873 395473f-3954743 5872->5873 5873->5869 5874 3954749-395476e 5873->5874 5875 3954770-395477b 5874->5875 5876 39547dc 5874->5876 5877 395477d-3954787 5875->5877 5876->5869 5878 39547cc-39547da 5877->5878 5879 3954789-39547a3 call 3953625 call 3953b60 5877->5879 5878->5875 5878->5876 5884 39547a5-39547ad 5879->5884 5885 39547b1-39547c9 5879->5885 5884->5877 5886 39547af 5884->5886 5885->5878 5886->5878
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03954812), ref: 039546E6
                                                                                                                                                                                                                          • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03954812), ref: 039546F3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HandleLibraryLoadModule
                                                                                                                                                                                                                          • String ID: ntdl
                                                                                                                                                                                                                          • API String ID: 4133054770-3973061744
                                                                                                                                                                                                                          • Opcode ID: 2810d73eff298fb488da34da9dba1283c9772a61656f625ae91c95948ca26f46
                                                                                                                                                                                                                          • Instruction ID: de4aa55e164b5ab11e5da39d261e117f3813dd1232a3e884788fd4ea18bd18d5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2810d73eff298fb488da34da9dba1283c9772a61656f625ae91c95948ca26f46
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1318E79E006159BCB64CFAEC890ABDF7B9BF4A714F080299E81197741C7349AD1CBA0
                                                                                                                                                                                                                          Function 00B5FCA5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 5887 b5fca5-b5fcbd call b67e88 5890 b5fcd0-b5fd06 call b67e5d call b5ffb3 call b60489 5887->5890 5891 b5fcbf-b5fccb 5887->5891 5900 b5fd23-b5fd2c call b6048f 5890->5900 5901 b5fd08-b5fd11 call b5ff1f 5890->5901 5892 b5fdb9-b5fdc8 5891->5892 5906 b5fd41-b5fd56 call b605aa call b67e0a call b1cf50 5900->5906 5907 b5fd2e-b5fd37 call b5ff1f 5900->5907 5901->5900 5908 b5fd13-b5fd21 5901->5908 5920 b5fd5b-b5fd64 call b605e0 5906->5920 5907->5906 5914 b5fd39-b5fd40 call b68191 5907->5914 5908->5900 5914->5906 5923 b5fd66-b5fd68 5920->5923 5924 b5fdd0-b5fdde call b681b7 call b6817b 5920->5924 5925 b5fd6f-b5fd82 call b5ffd0 5923->5925 5926 b5fd6a call b6816c 5923->5926 5925->5892 5926->5925
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ___scrt_release_startup_lock.LIBCMT ref: 00B5FCF5
                                                                                                                                                                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 00B5FD72
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ___scrt_release_startup_lock___scrt_uninitialize_crt
                                                                                                                                                                                                                          • String ID: VPWh
                                                                                                                                                                                                                          • API String ID: 3421992214-353207083
                                                                                                                                                                                                                          • Opcode ID: ffe97b70b4a9aff73ffaf7793dee2d78539017e7c6c25e68fdc42ce65377ba23
                                                                                                                                                                                                                          • Instruction ID: dcd8548e9ac34cfa23ee105f66172608685b0ade9854ff7a1bdb574dc54a9d00
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ffe97b70b4a9aff73ffaf7793dee2d78539017e7c6c25e68fdc42ce65377ba23
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7921263258831766DA207B74A807B7EA7F0DF42762F2001FAFD95776E2DF2A4C458690
                                                                                                                                                                                                                          Function 00B6EDE2 Relevance: 4.7, APIs: 3, Instructions: 197COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B6EF97
                                                                                                                                                                                                                            • Part of subcall function 00B6AC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00B5FB1F,00000000,?,00B1322C,00000000,?,00B013A5,00000000), ref: 00B6AC47
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B6EFAA
                                                                                                                                                                                                                          • __freea.LIBCMT ref: 00B6EFB7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __freea$AllocateHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2243444508-0
                                                                                                                                                                                                                          • Opcode ID: 60ac8868f2cdc90c16b44d54fec3b027831b549ce98234f5ad2433bc4f60efdd
                                                                                                                                                                                                                          • Instruction ID: 92fdf9af562fb9a4b6bdd9ef4af4df716731af53face70d08badfb8988fe899c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60ac8868f2cdc90c16b44d54fec3b027831b549ce98234f5ad2433bc4f60efdd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6451B176600206AFEB219E648C85EBB7AE9EF94310B1500A9FD28D7140EB39CC50CB61
                                                                                                                                                                                                                          Function 00B72F61 Relevance: 3.2, APIs: 2, Instructions: 177COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B72A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00B72AC0
                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00B72DA5,?,00000000,?,00000000,?), ref: 00B72FC2
                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00B72DA5,?,00000000,?,00000000,?), ref: 00B72FFE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CodeInfoPageValid
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 546120528-0
                                                                                                                                                                                                                          • Opcode ID: c61e9a9d0864cdd92f736376b1d81160a737cefb2460b89604e1f891c80eac80
                                                                                                                                                                                                                          • Instruction ID: cd2d86eb559df2942201df841f6971137fcc2f072b81a9439ec5a9492c13297b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c61e9a9d0864cdd92f736376b1d81160a737cefb2460b89604e1f891c80eac80
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63512370A003458EDB20CF36C881BABBBF5EF41700F14C4EED1AA8B251E6799A46DB50
                                                                                                                                                                                                                          Function 00B6E1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LCMapStringEx.KERNELBASE(?,00B6EED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 00B6E207
                                                                                                                                                                                                                          • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,00B6EED2,?,?,-00000008,?,00000000), ref: 00B6E225
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: String
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2568140703-0
                                                                                                                                                                                                                          • Opcode ID: 998711c8c7f21b6641c743dafbb62d3c689665fb3bdb5f34e5db8cc9de8a6266
                                                                                                                                                                                                                          • Instruction ID: 6bca05ec78f82a45ae199b4734643e7c70ee528552a9b6c842ba960120492bb9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 998711c8c7f21b6641c743dafbb62d3c689665fb3bdb5f34e5db8cc9de8a6266
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7F07A3640011AFBCF126F91DC15DDE7F6AFF487A0F058451FA2826020CB36D871AB90
                                                                                                                                                                                                                          Function 03953536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,0395518A), ref: 0395353D
                                                                                                                                                                                                                          • RtlFreeHeap.NTDLL(00000000), ref: 03953544
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Heap$FreeProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3859560861-0
                                                                                                                                                                                                                          • Opcode ID: 33c5cb783e0d5051a8ed90a7e71b256693a767a9bad2adb0bb9c96e2741c6c50
                                                                                                                                                                                                                          • Instruction ID: 65435de679f541826e9c54aef9bcb98c37c1cdab38331e55de40919be67102e2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 33c5cb783e0d5051a8ed90a7e71b256693a767a9bad2adb0bb9c96e2741c6c50
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 34B092765092006AEE88ABF0990DB3A3758AB00643F041088B60699044867882808720
                                                                                                                                                                                                                          Function 00B72B69 Relevance: 1.6, APIs: 1, Instructions: 142COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00B72DA5,?), ref: 00B72B9B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Info
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1807457897-0
                                                                                                                                                                                                                          • Opcode ID: bef85f60a0bf3c86c509aae581a1d7c8d6eee0fffc0b5df0821f6abae3be2772
                                                                                                                                                                                                                          • Instruction ID: 7956bcef164ab7f36aaf255305278612192dfb7f3024a367606351bcba008a54
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bef85f60a0bf3c86c509aae581a1d7c8d6eee0fffc0b5df0821f6abae3be2772
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 905128B1904158AFDB128F28CDC4BE9BBECFB25304F1481E9E5AD97182D3359D89DB60
                                                                                                                                                                                                                          Function 00B5FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00B6037B
                                                                                                                                                                                                                            • Part of subcall function 00B6106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,00B6038E,?,?,?,?,00B6038E,?,00B88484), ref: 00B610CC
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3447279179-0
                                                                                                                                                                                                                          • Opcode ID: a2989f266198f251bcef4a1aa11a935caad227fdaf6f400903f9b93910efcc81
                                                                                                                                                                                                                          • Instruction ID: 351b59f7e1c28aa445a01609067b0e15a1a67cf8afd39257804913856cf6a123
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a2989f266198f251bcef4a1aa11a935caad227fdaf6f400903f9b93910efcc81
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EAF0B43580020EF7CF04BAA9EC5AEAD77ECD904310B5445F0BD68960E2EF74EA49C2D5
                                                                                                                                                                                                                          Function 00B01460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMTD ref: 00B01477
                                                                                                                                                                                                                            • Part of subcall function 00B13D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00B13D89
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2103942186-0
                                                                                                                                                                                                                          • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                          • Instruction ID: d6e96f8272578e6564fa97222bc0cf27975b168814a8ae388ae13e0fc06b7605
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DF0EC74D01108ABCB18EFACD5C16ADBBF5EF44304F1085E9E80597395E634AF90DB85
                                                                                                                                                                                                                          Function 00B6AC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,00B5FB1F,00000000,?,00B1322C,00000000,?,00B013A5,00000000), ref: 00B6AC47
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocateHeap
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1279760036-0
                                                                                                                                                                                                                          • Opcode ID: 30555f1723c36425e9c4cd49b11093fde15966a6958065fe3659e83d32fe19c1
                                                                                                                                                                                                                          • Instruction ID: 5765daeead0ef30588b384b2b6c67cc03b649e14116acd3d444c902794644d82
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30555f1723c36425e9c4cd49b11093fde15966a6958065fe3659e83d32fe19c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28E0E531144A1597DF3136759C00B9ABBC8DB427A0F1401E1FD05B62D0CF6CCC008AA6
                                                                                                                                                                                                                          Function 00B37B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00B14B9E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ProtectVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 544645111-0
                                                                                                                                                                                                                          • Opcode ID: dfc1135ad05bd7b55a7458c7a2da7ea58797dcec1e4b7e494a1e0ea480c6509a
                                                                                                                                                                                                                          • Instruction ID: 1595791b72d0eecf481a9b36c6c2aaa88bfc2bdb9391661fbb09106d23f2d45d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfc1135ad05bd7b55a7458c7a2da7ea58797dcec1e4b7e494a1e0ea480c6509a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AD012B6A5410987CB209B78AC487A677B8F704316B2411C9E95C47122DF324555CF40
                                                                                                                                                                                                                          Function 00B013B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: allocator
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3447690668-0
                                                                                                                                                                                                                          • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                          • Instruction ID: 65b633b394732e28292e4e597070b363141f2f56fe8368c17303685b94595d74
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3EC09B7011410C5B8704DF88E491D5673DD9B897107404155BC0D4B351CB30FD40C554
                                                                                                                                                                                                                          Function 0395407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesW.KERNELBASE(03955051,0395447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03953ECC), ref: 0395407E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                          • Opcode ID: 615d235629243ab6daf6a172034775f8fb89b6eb5c6a2722820004028f0fe564
                                                                                                                                                                                                                          • Instruction ID: bfae20a370ac27defced349cb626dbc1e802e4f04ba38fe9b0e33a59a88fff02
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 615d235629243ab6daf6a172034775f8fb89b6eb5c6a2722820004028f0fe564
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5CA0223A0303008BCA2C23302B2A00E30800E0A2F03220B8CB033CC0C0EA38C3C00200
                                                                                                                                                                                                                          Function 00B27EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00B18B81
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4275171209-0
                                                                                                                                                                                                                          • Opcode ID: 3583760f87a92a23fb6b449d333bf749266136b35941c51d66e5c0d92b45eaa9
                                                                                                                                                                                                                          • Instruction ID: c7db99d0218fc8705587d61e0780df8e0d1a08917fa7c723416b314d40219714
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3583760f87a92a23fb6b449d333bf749266136b35941c51d66e5c0d92b45eaa9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D521E3B1C05928CADB62CF28C9817EDB7B5FF52340F1092C6D40D6A242DB319AC19F50

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 03953EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 0395407D: GetFileAttributesW.KERNELBASE(03955051,0395447E,?,?,?,?,?,?,?,?,?,?,?,?,?,03953ECC), ref: 0395407E
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03953F5D
                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(03951710,?), ref: 03953FFE
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                                                                                                                                                                                          • String ID: %s%s$%s\%s$%s\*
                                                                                                                                                                                                                          • API String ID: 674214967-2064654797
                                                                                                                                                                                                                          • Opcode ID: 95b60926543a8d98a3b0e6996a2a3850f789e1bd387f2236ed4fac16d899a4fd
                                                                                                                                                                                                                          • Instruction ID: c7ea96e5a88601de5e2454bd5f2a20b463a10c8c2d4d0010643e4c7059581374
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95b60926543a8d98a3b0e6996a2a3850f789e1bd387f2236ed4fac16d899a4fd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6131CB7AA0131967DB61FE75CC85BBDB7799F81290F080198FC059B290EB358FC68B51
                                                                                                                                                                                                                          Function 00B75458 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 00B754F1
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 00B7551A
                                                                                                                                                                                                                          • GetACP.KERNEL32 ref: 00B7552F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                          • String ID: ACP$OCP
                                                                                                                                                                                                                          • API String ID: 2299586839-711371036
                                                                                                                                                                                                                          • Opcode ID: 56da3b592bb763dc233a8bd67da2245cc22ab3523c4a05e04a3c29cb32d8728a
                                                                                                                                                                                                                          • Instruction ID: 1ca50ec12c0774be271bdff8bddee153dbb409e5ac0050c4cf39caf93c3b8ffa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56da3b592bb763dc233a8bd67da2245cc22ab3523c4a05e04a3c29cb32d8728a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1721B272600904A6EB308F55D905B9773F7EB60B61B66C4E4E92DD7204FBB2DE80C750
                                                                                                                                                                                                                          Function 00B75634 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • GetUserDefaultLCID.KERNEL32 ref: 00B7573C
                                                                                                                                                                                                                          • IsValidCodePage.KERNEL32(00000000), ref: 00B7577A
                                                                                                                                                                                                                          • IsValidLocale.KERNEL32(?,00000001), ref: 00B7578D
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00B757D5
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00B757F0
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 415426439-0
                                                                                                                                                                                                                          • Opcode ID: 189458151bb3e9f0012cd2ae9f2a74284361ebe9328495c06797db37e88d69cd
                                                                                                                                                                                                                          • Instruction ID: c04ecf970a28fe0137cf5f3f723d6173579ca7c2cca7d7eb93a97b98b1ae6825
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 189458151bb3e9f0012cd2ae9f2a74284361ebe9328495c06797db37e88d69cd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52515F71A10609ABEB24DFA4CC41BAE77F8FF44700F5484A9E929E7191EBB0DD40CB61
                                                                                                                                                                                                                          Function 039540BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0395410D
                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(000000FF,?), ref: 03954159
                                                                                                                                                                                                                            • Part of subcall function 03953536: GetProcessHeap.KERNEL32(00000000,00000000,0395518A), ref: 0395353D
                                                                                                                                                                                                                            • Part of subcall function 03953536: RtlFreeHeap.NTDLL(00000000), ref: 03953544
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileFindHeap$FirstFreeNextProcess
                                                                                                                                                                                                                          • String ID: %s\%s$%s\*
                                                                                                                                                                                                                          • API String ID: 1689202581-2848263008
                                                                                                                                                                                                                          • Opcode ID: 3fcdf23f08f7bfcf0ba462d14c464e2152e7ff45fa315f79ebe77d116405b2db
                                                                                                                                                                                                                          • Instruction ID: 0f428b5d6794f63286cccd8a0af6046c9fdc9fbf712496c4b8fb5cafee2f0972
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3fcdf23f08f7bfcf0ba462d14c464e2152e7ff45fa315f79ebe77d116405b2db
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB31A8397013149BCB60FF66DCC476F7BA9AF94290F144469FD05DB245EB348AD18B90
                                                                                                                                                                                                                          Function 00B7256E Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000), ref: 00B7265E
                                                                                                                                                                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00B72752
                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00B72791
                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00B727C4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Find$CloseFile$FirstNext
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1164774033-0
                                                                                                                                                                                                                          • Opcode ID: 6c54a34a7341fa75546d97f4b9ca0cc53c6b91a9847da419951ae10937ddd2d9
                                                                                                                                                                                                                          • Instruction ID: 4930a6ceab4ff19484fbe24b3fc66a5e4e477e856c6bed0b881a02840d91aa61
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c54a34a7341fa75546d97f4b9ca0cc53c6b91a9847da419951ae10937ddd2d9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4271E375D051586FDF24AF38CC99AAABBF9EF15300F1481DAE06DA7211EB358E819F10
                                                                                                                                                                                                                          Function 00B60495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00B604A1
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32 ref: 00B6056D
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00B60586
                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00B60590
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 254469556-0
                                                                                                                                                                                                                          • Opcode ID: 605acf10066315b446696d73d16a60f8158cb18d81755abb8d5724581967fac3
                                                                                                                                                                                                                          • Instruction ID: 58cde7079f4ec1325eb7209d0e9bc24087fa2fb9da057f78c1c0ea229a8d6140
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 605acf10066315b446696d73d16a60f8158cb18d81755abb8d5724581967fac3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D31F875D152189BDF20EF65D9897CEBBF8AF08300F1041EAE50DAB250EB759A84CF45
                                                                                                                                                                                                                          Function 00B750DC Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B75130
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B7517A
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B75240
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale$ErrorLast
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 661929714-0
                                                                                                                                                                                                                          • Opcode ID: 0f0c300a04528b46f0ecdf6d67442070f2f9e5d54c9619df38224487b5665b8e
                                                                                                                                                                                                                          • Instruction ID: 2f232d58f5a7d69f097b545f0d24e7b1ea06c8f9081f84ab469148604127c727
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f0c300a04528b46f0ecdf6d67442070f2f9e5d54c9619df38224487b5665b8e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28618171914A079FDB389F28CC82BAA77E9EF14340F1080E9E929C6595F7B4D981DB50
                                                                                                                                                                                                                          Function 00B64383 Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 00B6447B
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00B64485
                                                                                                                                                                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00B64492
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3906539128-0
                                                                                                                                                                                                                          • Opcode ID: 4ba79a62f7825dd55b4852cfd6e0554d73edf2a4a7762d1fc43d80fe969eed75
                                                                                                                                                                                                                          • Instruction ID: f0070fcfe7c1ff12f90067634933ed8b7d51988f00457d75c50a552bb24863e8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4ba79a62f7825dd55b4852cfd6e0554d73edf2a4a7762d1fc43d80fe969eed75
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F231C2749112289BCB21DF65D88978DBBF8BF08310F5042EAE50CA7250EB749B858F44
                                                                                                                                                                                                                          Function 00B6D515 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00B6D510,?,?,00000008,?,?,00B77A3B,00000000), ref: 00B6D742
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionRaise
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3997070919-0
                                                                                                                                                                                                                          • Opcode ID: afa790d1512cd33fe5dbc83136ce026f817ad6eb89ed3486c732b30879799ade
                                                                                                                                                                                                                          • Instruction ID: ae4803dfb755384afddd3f77420db81e7c5f3dfe84ad89abbb55ac3de9bd8f74
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: afa790d1512cd33fe5dbc83136ce026f817ad6eb89ed3486c732b30879799ade
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89B13D31A106089FD715CF28C48AB657BE0FF45364F298698E89ACF2A1C739DD91CB41
                                                                                                                                                                                                                          Function 00B6013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00B60152
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                          • Opcode ID: dd50c1296988248900fb5d2e7af77ada69a3f84b1447ba353251fe8108d561ea
                                                                                                                                                                                                                          • Instruction ID: 5d059ab7376f8ba792d5dc49ce312ebbee1073c5d0094a5a7910e92e491c48b9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd50c1296988248900fb5d2e7af77ada69a3f84b1447ba353251fe8108d561ea
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD5180B19112058FEB15CFA5D8C6BAEBBF4FB48310F2885AAD406EB361D7789D40CB50
                                                                                                                                                                                                                          Function 00B7532F Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00B75383
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                          • Opcode ID: ec9ef138ffef8c8d5a4d0f62cd1389f7829148ccd7432c38f3ad703e53ac7fc8
                                                                                                                                                                                                                          • Instruction ID: 3e7e8c509af98cabcfe40a1a749a565e54fb597a0f409e09ab964093951ef4a8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec9ef138ffef8c8d5a4d0f62cd1389f7829148ccd7432c38f3ad703e53ac7fc8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3621F532611606ABDB289F18CC81A7A33F8EF40340F1180FAF91AD7151EBB8EC81CB54
                                                                                                                                                                                                                          Function 00B74FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00B750DC,00000001), ref: 00B75028
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                          • Opcode ID: a75623c07533a868533a76ad2e16022e6b69b54a08df666242c7e75ef9e30dcd
                                                                                                                                                                                                                          • Instruction ID: 481ad5c4c8de70d46399e65ee6c2b15386cf87091b050ca04576943e896a48dc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a75623c07533a868533a76ad2e16022e6b69b54a08df666242c7e75ef9e30dcd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E1129362007059FDB289F38C89157AB7D2FF80359B14842CE95A87640D7717842DB80
                                                                                                                                                                                                                          Function 00B7555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00B752F8,00000000,00000000,?), ref: 00B7558A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3736152602-0
                                                                                                                                                                                                                          • Opcode ID: 406e97a4489bccacf33864366e868b943686f2ee4bba0e4edf718f93f979917b
                                                                                                                                                                                                                          • Instruction ID: 0be3732f01a60246333114bdc51e6227e351f21be8a6955468ef89049e445278
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 406e97a4489bccacf33864366e868b943686f2ee4bba0e4edf718f93f979917b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB01D632600613ABDB389A248C45BBB37E5EB40754F1584A9EC1AE31C0EAB4FE41C790
                                                                                                                                                                                                                          Function 00B75051 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00B7532F,00000001), ref: 00B7509B
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                          • Opcode ID: 52ba7b40fed31f7eeee2d4ee10ef82134c6db848b081814521197e341edf648f
                                                                                                                                                                                                                          • Instruction ID: 558069c04bb4bdcfbb6aee417ef03a5a129a5521481c9483aad31c3f0858f775
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52ba7b40fed31f7eeee2d4ee10ef82134c6db848b081814521197e341edf648f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5BF0F636300B045FDB346F399C81A7A7BE1EF80768B0584ADF94A8B690D6F19C42C794
                                                                                                                                                                                                                          Function 00B6DBC7 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B649CA: EnterCriticalSection.KERNEL32(-00B8B8A8,?,00B676D7,00000000,00B88C40,0000000C,00B6769F,?,?,00B6DB90,?,?,00B6AA8E,00000001,00000364,00000000), ref: 00B649D9
                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(Function_0006DBBA,00000001,00B88E30,0000000C,00B6DF92,?), ref: 00B6DBFF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1272433827-0
                                                                                                                                                                                                                          • Opcode ID: 384ab4d82ff9a0fc97a17fd0bd35f89fcc470cc9be7876946549776179ffbfc8
                                                                                                                                                                                                                          • Instruction ID: 0c85a32a8709eaba2facafc0e6cf3b9328c9318cfab2d2f62df80bed7789e5ab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 384ab4d82ff9a0fc97a17fd0bd35f89fcc470cc9be7876946549776179ffbfc8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6BF0E772A54214DFD700EFA8E842B9E77F0EB09725F1045AAE5159B2B1CBB95900CF50
                                                                                                                                                                                                                          Function 00B74F69 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00B74EC4,00000001), ref: 00B74FA2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                          • Opcode ID: 15d0761aaf6facc232463ad4e480e7d6968f948d529d6f293395dd99423a6164
                                                                                                                                                                                                                          • Instruction ID: a1ee690ca5d3b56a7e1b68f2e23650e755c288c80afaa50ef82b5d71c110dce7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15d0761aaf6facc232463ad4e480e7d6968f948d529d6f293395dd99423a6164
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0F0E5367002455BCF049F39D84566BBFE4EFC1761B068099EE1D8F691C7759883C790
                                                                                                                                                                                                                          Function 00B74F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: GetLastError.KERNEL32(?,?,00B671B7,?,?,?,?,00000003,00B64382,?,00B642F1,?,00000000,00B64500), ref: 00B6A8F4
                                                                                                                                                                                                                            • Part of subcall function 00B6A8F0: SetLastError.KERNEL32(00000000,00000000,00B64500,?,?,?,?,?,00000000,?,?,00B6459E,00000000,00000000,00000000,00000000), ref: 00B6A996
                                                                                                                                                                                                                          • EnumSystemLocalesW.KERNEL32(00B74EC4,00000001), ref: 00B74FA2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2417226690-0
                                                                                                                                                                                                                          • Opcode ID: cde7bb279d70adc340d82657b281548a7afd86754773c88817b5ed0663edf413
                                                                                                                                                                                                                          • Instruction ID: aeb3981a97465ee2e47e5bcc43f31f9fc33b68731ca13272069062d982ffad0c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cde7bb279d70adc340d82657b281548a7afd86754773c88817b5ed0663edf413
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EF0E5367002455BCF049F39D84566ABFE4EFC1761B068099EE1D8F691C7759882C790
                                                                                                                                                                                                                          Function 00B6E096 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00B69527,?,20001004,00000000,00000002,?,?,00B68B19), ref: 00B6E0CA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoLocale
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2299586839-0
                                                                                                                                                                                                                          • Opcode ID: 20de071e6ce5fa3df12d8adb6e96e209633daa93d52a853796aa2c56610adfb6
                                                                                                                                                                                                                          • Instruction ID: dd16101537465ef54a9f59f87d7c2b075f43475c52526a3c9d915af66ace5651
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 20de071e6ce5fa3df12d8adb6e96e209633daa93d52a853796aa2c56610adfb6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06E01A35501128BBCB122F61DC05B9E7B6AFB44750F044450FC19A6161CB769920EB95
                                                                                                                                                                                                                          Function 00B60622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,00B5FC56), ref: 00B60627
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExceptionFilterUnhandled
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3192549508-0
                                                                                                                                                                                                                          • Opcode ID: 5ec7062b1714dc59dcbe91f516ffc8c8cd48b4763b302d519c9260a4802afabb
                                                                                                                                                                                                                          • Instruction ID: e768dd1b1b65b5e4aadd587030d0766665b890177755663c2c480ebc5eec0677
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ec7062b1714dc59dcbe91f516ffc8c8cd48b4763b302d519c9260a4802afabb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash:
                                                                                                                                                                                                                          Function 00B75891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: HeapProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 54951025-0
                                                                                                                                                                                                                          • Opcode ID: 1988379d86344af932cdfd20684df1b0c01e09a3e18206d08620e705dec504f3
                                                                                                                                                                                                                          • Instruction ID: e6566a67f20f04a8d75da6478c0c13c68c3d5068194afab33871971fb509149a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1988379d86344af932cdfd20684df1b0c01e09a3e18206d08620e705dec504f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2A00270612247DF97408F75AF0D70D3BF9BA49AD1F4581A9A509D7570EF3484A0DF05
                                                                                                                                                                                                                          Function 00B6BE09 Relevance: .6, Instructions: 637COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: dc8808c31b174ddf89346739b1d3643f3fcbc20842dcc3a577d53a87946a5f63
                                                                                                                                                                                                                          • Instruction ID: b26e81727fce40e44a3b2c573c2d4e9992a527e9c78f1eaed5357a55088fba48
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc8808c31b174ddf89346739b1d3643f3fcbc20842dcc3a577d53a87946a5f63
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 19322521D69F014DD7239634CC62335AA89AFB73C4F15D73BE85AB6AA5EF29D4C34200
                                                                                                                                                                                                                          Function 00B61490 Relevance: .1, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                          • Instruction ID: e1801c34709f214b4302f7bd2f5dce033b5fbcf0890abfc77c15e02a15e7aac7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F115B7720118243D614CA7ED8B45B6E3E5FBD532072C8BFAC0434B748D92AD9409E00
                                                                                                                                                                                                                          Function 039542EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,00000000,00000000,00000000,?,?,?,?,03954574), ref: 03954305
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0395430E
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03954574), ref: 0395431F
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000), ref: 03954322
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03954574), ref: 039543A4
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(03954574,00000000,00000000,00000002,?,?,?,?,03954574), ref: 039543C0
                                                                                                                                                                                                                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03954574), ref: 039543CF
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(03954574,?,?,?,?,03954574), ref: 039543FF
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(03954574,00000000,00000000,00000001,?,?,?,?,03954574), ref: 0395440D
                                                                                                                                                                                                                          • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03954574), ref: 0395441C
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,03954574), ref: 0395442F
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(000000FF), ref: 03954452
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 0395445A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                                                                                                                                                                                                          • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                                                                                                                                                                                                          • API String ID: 3110323036-2044536123
                                                                                                                                                                                                                          • Opcode ID: 2b3d5d5128817a858a9871de7c3a5b22bc6f71056573a8d8e038c3d28ef47ec4
                                                                                                                                                                                                                          • Instruction ID: 9454fa3ff7a3231261eab2ac0c115fc3cfc02c571b9d8f1459df0c99070cdbde
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b3d5d5128817a858a9871de7c3a5b22bc6f71056573a8d8e038c3d28ef47ec4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B0415E72A00219ABDB10EFF69C44AAEBBBDEF84651F144165F914E7190DB70DAC1CBA0
                                                                                                                                                                                                                          Function 00B03930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                                                                                                                                                                          • String ID: bad locale name
                                                                                                                                                                                                                          • API String ID: 3904239083-1405518554
                                                                                                                                                                                                                          • Opcode ID: a080b3db73d7cf7a1893d0dc4df62cf08c1871ae90a1d496eb4d568bfe6255e6
                                                                                                                                                                                                                          • Instruction ID: 2891529a849d610255b6b001a2a7438780b4c8491e203554e5bee0ebedf776ee
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a080b3db73d7cf7a1893d0dc4df62cf08c1871ae90a1d496eb4d568bfe6255e6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98215EB090424ADBDF04EB98C955BBEBBB1AF44708F1445DCE5122B3C2CB755A04C7A5
                                                                                                                                                                                                                          Function 03952991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: __aulldvrm
                                                                                                                                                                                                                          • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                                                                                                                                                                                                          • API String ID: 1302938615-1267642376
                                                                                                                                                                                                                          • Opcode ID: 5bb8c21de022740f5871df14db7b1a143e6a4e668ea9ac1ea884507fea03e9e9
                                                                                                                                                                                                                          • Instruction ID: 4d5eba79ef91d7b8cbc39ebb6f13b24fd48ec536760d057789cf251a79d01820
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5bb8c21de022740f5871df14db7b1a143e6a4e668ea9ac1ea884507fea03e9e9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 799148716043028FDB25CF28C49062ABBE9EF86284F184D6EF8DA87651D770E9C1CB51
                                                                                                                                                                                                                          Function 00B632E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • type_info::operator==.LIBVCRUNTIME ref: 00B63400
                                                                                                                                                                                                                          • ___TypeMatch.LIBVCRUNTIME ref: 00B6350E
                                                                                                                                                                                                                          • _UnwindNestedFrames.LIBCMT ref: 00B63660
                                                                                                                                                                                                                          • CallUnexpected.LIBVCRUNTIME ref: 00B6367B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                                                                                                                                                                          • String ID: csm$csm$csm
                                                                                                                                                                                                                          • API String ID: 2751267872-393685449
                                                                                                                                                                                                                          • Opcode ID: e5bdbe6d410aba3c5024c887ba221a1d9363c87d77e1cbf3e58e3d7211065c5c
                                                                                                                                                                                                                          • Instruction ID: 36717015778504a7a965b4355f8d97557bc72b82712f047a3538678a85214fce
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5bdbe6d410aba3c5024c887ba221a1d9363c87d77e1cbf3e58e3d7211065c5c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4B14671C00209EFCF15DFA4C8819AEBBF5FF18B10B1445AAE8126B212D739DA51CF95
                                                                                                                                                                                                                          Function 00B71338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 0-3907804496
                                                                                                                                                                                                                          • Opcode ID: 6d009ef9af7de7937500d32205e263c236f950e6ea0a86bf071a84d393d026e3
                                                                                                                                                                                                                          • Instruction ID: b6467f89a33f7583d16fcaf63e7d07c589bf461aac563ced4dc4987d89e3ad22
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d009ef9af7de7937500d32205e263c236f950e6ea0a86bf071a84d393d026e3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64B1DE70E04249ABDB159FACC881BAD7BF5EF55300F188598E42A9B392CB70D942CB74
                                                                                                                                                                                                                          Function 03951F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetUserDefaultUILanguage.KERNEL32 ref: 03951F90
                                                                                                                                                                                                                          • GetKeyboardLayoutList.USER32(00000032,?), ref: 03951FF2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DefaultKeyboardLanguageLayoutListUser
                                                                                                                                                                                                                          • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                                                                                                                                                                                          • API String ID: 167087913-619012376
                                                                                                                                                                                                                          • Opcode ID: 74126a76061f1547a809cc550d7df12871171f8437605a7c5a33882f03488d5c
                                                                                                                                                                                                                          • Instruction ID: 0af6b3d6d726f4c252c15698447be48c45241bb5a0a7a98e2287959433972537
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74126a76061f1547a809cc550d7df12871171f8437605a7c5a33882f03488d5c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C319F54E08298AAEB01DFE4A4017FDBB70EF14306F405496FD88FA282D7794B85C76A
                                                                                                                                                                                                                          Function 00B6DD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,D6504D6B,?,00B6DEA3,00000000,00B013A5,00000000,00000000), ref: 00B6DE55
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeLibrary
                                                                                                                                                                                                                          • String ID: api-ms-$ext-ms-
                                                                                                                                                                                                                          • API String ID: 3664257935-537541572
                                                                                                                                                                                                                          • Opcode ID: 2af1f0070d9251994c32892ececc0782928ad48f16c4ea27d9775cd36c9b10ce
                                                                                                                                                                                                                          • Instruction ID: 04abea74738f45196eeea929dacdd77a703add479dbb49d8c0b54614a99f0e5d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2af1f0070d9251994c32892ececc0782928ad48f16c4ea27d9775cd36c9b10ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A121EB31F00210BBCF319B65DC40A5B37D8EB657A0F1501A4E91AAB2E0DB35ED40CBE1
                                                                                                                                                                                                                          Function 00B5E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00B5E51D
                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00B5E527
                                                                                                                                                                                                                          • int.LIBCPMTD ref: 00B5E53E
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::_Lockit.LIBCPMT ref: 00B046E6
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B04710
                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 00B5E561
                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00B5E578
                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00B5E598
                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMTD ref: 00B5E5A5
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2133458128-0
                                                                                                                                                                                                                          • Opcode ID: 898592cf129465351b4076cfa596e80acb83afc521cfca55c63e664d7cb1ffce
                                                                                                                                                                                                                          • Instruction ID: 4ad8154d99574aac053c40ec28be481c502c58247ef154a901f5ea139822219e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 898592cf129465351b4076cfa596e80acb83afc521cfca55c63e664d7cb1ffce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D1106B29102189FCB15AB64D8467AE7BF5FF84721F1004C9F815A7291EFB4DE05CB80
                                                                                                                                                                                                                          Function 00B5D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00B5D7AF
                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00B5D7B9
                                                                                                                                                                                                                          • int.LIBCPMTD ref: 00B5D7D0
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::_Lockit.LIBCPMT ref: 00B046E6
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B04710
                                                                                                                                                                                                                          • codecvt.LIBCPMT ref: 00B5D7F3
                                                                                                                                                                                                                          • std::_Facet_Register.LIBCPMT ref: 00B5D80A
                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00B5D82A
                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMTD ref: 00B5D837
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2133458128-0
                                                                                                                                                                                                                          • Opcode ID: b96fdf26a2610f65b1c811f5329056fab73975573d98c32fb74e6c99a04f5099
                                                                                                                                                                                                                          • Instruction ID: 6e52f41b6e7eb828422cf05cceae0d9fb4714a4c938bf94c52fb3f28f294f35e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b96fdf26a2610f65b1c811f5329056fab73975573d98c32fb74e6c99a04f5099
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D01C07690021A9BCB15EBA09846BAE7BF2EF84311F2401C8E8116B291DF749E09C781
                                                                                                                                                                                                                          Function 00B5F8DE Relevance: 9.2, APIs: 6, Instructions: 175COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 00B5F927
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 00B5F992
                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B5F9AF
                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00B5F9EE
                                                                                                                                                                                                                          • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00B5FA4D
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 00B5FA70
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharMultiStringWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2829165498-0
                                                                                                                                                                                                                          • Opcode ID: 1188f19213096a277a67a3ef07da2776035b50093165a8e1e3376728b2a4e64b
                                                                                                                                                                                                                          • Instruction ID: 358c0986095e8d36f3b5d1d7360617748b9799b837de7a8d5314d56c4b02b5e5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1188f19213096a277a67a3ef07da2776035b50093165a8e1e3376728b2a4e64b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0518A7290020BABEF219FA4CC85FBBBBF9EB44741F1044E5FD09A6190DB748918CB91
                                                                                                                                                                                                                          Function 03953084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: x
                                                                                                                                                                                                                          • API String ID: 0-2363233923
                                                                                                                                                                                                                          • Opcode ID: dcc93f5783802aa8e0e0c0cdd65dad41de959ffbbb41cf6315bc881eb6a1d39f
                                                                                                                                                                                                                          • Instruction ID: 7e5bd16dce1fc7c304a009cd080db5c405208dbe7202759bcfdfe20e05d089ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcc93f5783802aa8e0e0c0cdd65dad41de959ffbbb41cf6315bc881eb6a1d39f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE02AE79E04249EFCB45CFA8C984AADB7F4FF09345F048856E866EB250D730AA91CF51
                                                                                                                                                                                                                          Function 00B62FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00B62FA1,00B616DC,00B60672), ref: 00B62FB8
                                                                                                                                                                                                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00B62FC6
                                                                                                                                                                                                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00B62FDF
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,00B62FA1,00B616DC,00B60672), ref: 00B63031
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLastValue___vcrt_
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3852720340-0
                                                                                                                                                                                                                          • Opcode ID: 5f4bd1e586b73281ab2641ecdf6b020bcb47b6b4aab749f0539842f365b868ed
                                                                                                                                                                                                                          • Instruction ID: 9d80e093d7c152e641460d970024fb81130a7f706f6d40ca6f5482000431ee2e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f4bd1e586b73281ab2641ecdf6b020bcb47b6b4aab749f0539842f365b868ed
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2201D83211DB226DB6252BB47D85B1B2AE5EB52B7073003BAF110620F0EF5D4C459245
                                                                                                                                                                                                                          Function 00B680CC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,D6504D6B,?,?,00000000,00B78AEC,000000FF,?,00B680A8,?,?,00B6807C,00000000), ref: 00B68101
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00B68113
                                                                                                                                                                                                                          • FreeLibrary.KERNEL32(00000000,?,00000000,00B78AEC,000000FF,?,00B680A8,?,?,00B6807C,00000000), ref: 00B68135
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                          • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                          • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                          • Opcode ID: 84d0847dccf545fbfc25e40f10d83d0b99a80c89614614e10af4337d623a9292
                                                                                                                                                                                                                          • Instruction ID: dbe0e4545d2fcc748f75298d77c583d5a0ab34eb18a1cb555bd7f66815b1e985
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 84d0847dccf545fbfc25e40f10d83d0b99a80c89614614e10af4337d623a9292
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51016271954625EFDB119F54CC09FAFBBF9FB09B14F004669E825A32A0DF789940CA50
                                                                                                                                                                                                                          Function 00B01E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00B01E40
                                                                                                                                                                                                                          • int.LIBCPMTD ref: 00B01E59
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::_Lockit.LIBCPMT ref: 00B046E6
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B04710
                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMTD ref: 00B01E99
                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00B01F01
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3053331623-0
                                                                                                                                                                                                                          • Opcode ID: a3e039e82170a94f0f49092ee8abc4ebbd11f8eadb88b877024b049454a4cecc
                                                                                                                                                                                                                          • Instruction ID: 470046c05f202554f4286e274eb2ff4110f2a153837f9d1c89427d432c12afae
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3e039e82170a94f0f49092ee8abc4ebbd11f8eadb88b877024b049454a4cecc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D311AB1D00209DFCB04EF98D891BEEBBF1BB18310F204699E915673D1DB346A44CBA1
                                                                                                                                                                                                                          Function 00B01F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00B01F40
                                                                                                                                                                                                                          • int.LIBCPMTD ref: 00B01F59
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::_Lockit.LIBCPMT ref: 00B046E6
                                                                                                                                                                                                                            • Part of subcall function 00B046D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00B04710
                                                                                                                                                                                                                          • Concurrency::cancel_current_task.LIBCPMTD ref: 00B01F99
                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00B02001
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3053331623-0
                                                                                                                                                                                                                          • Opcode ID: 746c92182ca20c8901ce4c6b0d41a94fc01cdc2ac81c2a0ddc108d182b5e52b1
                                                                                                                                                                                                                          • Instruction ID: 73311f691045b4377d5d1259436c70da724be4146594f7c691284b63278a752e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 746c92182ca20c8901ce4c6b0d41a94fc01cdc2ac81c2a0ddc108d182b5e52b1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81312AB1D0020ADFCB04EFA8D881BEEBBF0BF08310F204699E51567391DB746A44CBA1
                                                                                                                                                                                                                          Function 00B5CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __EH_prolog3.LIBCMT ref: 00B5CE44
                                                                                                                                                                                                                          • std::_Lockit::_Lockit.LIBCPMT ref: 00B5CE4F
                                                                                                                                                                                                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 00B5CEBD
                                                                                                                                                                                                                            • Part of subcall function 00B5CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00B5CFB8
                                                                                                                                                                                                                          • std::locale::_Setgloballocale.LIBCPMT ref: 00B5CE6A
                                                                                                                                                                                                                          • _Yarn.LIBCPMT ref: 00B5CE80
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1088826258-0
                                                                                                                                                                                                                          • Opcode ID: 997d2b8694f712e508cd282193c211348e087296540e658071a7a09ad2113aef
                                                                                                                                                                                                                          • Instruction ID: b1fa56c41b6e088c4a98cf328bc2571acdf15760b4f42c20b45b8b40cbfa108c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 997d2b8694f712e508cd282193c211348e087296540e658071a7a09ad2113aef
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E0015A75A102159FC705BB20D85AA7D7BB3BB88341B1440D9E8166B3A1CF78AE4ACBC5
                                                                                                                                                                                                                          Function 00B64072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00B64023,00000000,?,00B8B824,?,?,?,00B641C6,00000004,InitializeCriticalSectionEx,00B7B270,InitializeCriticalSectionEx), ref: 00B6407F
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00B64023,00000000,?,00B8B824,?,?,?,00B641C6,00000004,InitializeCriticalSectionEx,00B7B270,InitializeCriticalSectionEx,00000000,?,00B63F7D), ref: 00B64089
                                                                                                                                                                                                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 00B640B1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: LibraryLoad$ErrorLast
                                                                                                                                                                                                                          • String ID: api-ms-
                                                                                                                                                                                                                          • API String ID: 3177248105-2084034818
                                                                                                                                                                                                                          • Opcode ID: 946df6d8dc7834a22c2075f47174034888a9fcab348abcd34367933b8b5b520d
                                                                                                                                                                                                                          • Instruction ID: a5fc2937129445aeb081382b282f4bc0cd3b6f8c3b6518c6a1f599e56e421cba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 946df6d8dc7834a22c2075f47174034888a9fcab348abcd34367933b8b5b520d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35E01230684214BBDF201B60DC06F593AD5DB10B50F104060FE0CE50A1DBA6D8909ED5
                                                                                                                                                                                                                          Function 00B6F497 Relevance: 6.3, APIs: 4, Instructions: 333fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetConsoleOutputCP.KERNEL32(D6504D6B,00000000,00000000,00000000), ref: 00B6F4FA
                                                                                                                                                                                                                            • Part of subcall function 00B71EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B6EF8D,?,00000000,-00000008), ref: 00B71F1E
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00B6F74C
                                                                                                                                                                                                                          • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 00B6F792
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00B6F835
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2112829910-0
                                                                                                                                                                                                                          • Opcode ID: eab0e76a5a52a6e0f39228ec56649a95bec1a7054c8ea0f69f64fa72abdd19d0
                                                                                                                                                                                                                          • Instruction ID: b64aff18e63b5f8395e4fa81b57f1d113a999f2a56dc2a89b3efada6152cc8a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eab0e76a5a52a6e0f39228ec56649a95bec1a7054c8ea0f69f64fa72abdd19d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1ED15975D00249DFCB15CFE8E8809ADBBF5FF09314F2445AAE826EB265D734A942CB50
                                                                                                                                                                                                                          Function 00B6308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AdjustPointer
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1740715915-0
                                                                                                                                                                                                                          • Opcode ID: cf1f91e28feab081083a9a2191fcfacc50e72579b4c91b97de9a4406fdd804f3
                                                                                                                                                                                                                          • Instruction ID: 467a4aba8d4cd41baf4e3ba2d1d0409f3921ab2c505fcba48e3c0e9a40c96919
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf1f91e28feab081083a9a2191fcfacc50e72579b4c91b97de9a4406fdd804f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B513471A002069FDB288F15C891B7AB3E5EF05B00F1844EDEC06A72A1D73EEE45CB80
                                                                                                                                                                                                                          Function 00B7227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00B71EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B6EF8D,?,00000000,-00000008), ref: 00B71F1E
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 00B722DE
                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00B722E5
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?), ref: 00B7231F
                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 00B72326
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1913693674-0
                                                                                                                                                                                                                          • Opcode ID: ee3866de56512153951335f0d4a2c1967f8bcf33646da7d5fa86210d56722638
                                                                                                                                                                                                                          • Instruction ID: a902691475a6c59d423b14918257e98cd12e0d00d39363edd05b7ef19dccc589
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ee3866de56512153951335f0d4a2c1967f8bcf33646da7d5fa86210d56722638
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6D21C271600705AFDB20AF65888186ABBEDEF04364B11C998F83D97242DB74ED5087A1
                                                                                                                                                                                                                          Function 00B67478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f2af5d3188ce06ee8b4c00aa7306fe217d47809ab65b86f850f9d21e1dd07923
                                                                                                                                                                                                                          • Instruction ID: b70ea371d7291ccc9fca977be2839fed3febe1dce0957f500ba1749d283c75dd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2af5d3188ce06ee8b4c00aa7306fe217d47809ab65b86f850f9d21e1dd07923
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4721C271648205AFDB20AF75D884C6A7BE9EF6036871085D4F91AD7250EF38ED5087A0
                                                                                                                                                                                                                          Function 00B7321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnvironmentStringsW.KERNEL32 ref: 00B73226
                                                                                                                                                                                                                            • Part of subcall function 00B71EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,00B6EF8D,?,00000000,-00000008), ref: 00B71F1E
                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B7325E
                                                                                                                                                                                                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00B7327E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 158306478-0
                                                                                                                                                                                                                          • Opcode ID: 74668d422e28b4e37b7defbf6c8e588b60053d9922131b3b30850d2204c18dd8
                                                                                                                                                                                                                          • Instruction ID: 6fd6d256afcb8d5c47ff61e027105075fb626c59a9dfa574d022ad63664af5c9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74668d422e28b4e37b7defbf6c8e588b60053d9922131b3b30850d2204c18dd8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5211C4B16025157FAB1137B55CCECAF29ECDE897A471045A4F81AE2102FE28CF41A571
                                                                                                                                                                                                                          Function 00B77C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00B76B6B,00000000,00000001,0000000C,00000000,?,00B6F889,00000000,00000000,00000000), ref: 00B77C52
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00B76B6B,00000000,00000001,0000000C,00000000,?,00B6F889,00000000,00000000,00000000,00000000,00000000,?,00B6FE2C,?), ref: 00B77C5E
                                                                                                                                                                                                                            • Part of subcall function 00B77C24: CloseHandle.KERNEL32(FFFFFFFE,00B77C6E,?,00B76B6B,00000000,00000001,0000000C,00000000,?,00B6F889,00000000,00000000,00000000,00000000,00000000), ref: 00B77C34
                                                                                                                                                                                                                          • ___initconout.LIBCMT ref: 00B77C6E
                                                                                                                                                                                                                            • Part of subcall function 00B77BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00B77C15,00B76B58,00000000,?,00B6F889,00000000,00000000,00000000,00000000), ref: 00B77BF9
                                                                                                                                                                                                                          • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00B76B6B,00000000,00000001,0000000C,00000000,?,00B6F889,00000000,00000000,00000000,00000000), ref: 00B77C83
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2744216297-0
                                                                                                                                                                                                                          • Opcode ID: 3eb21e963655849697171b654a45a798ca5544bd90c3d942e794db614cb28871
                                                                                                                                                                                                                          • Instruction ID: de83bb58d2b82f0579a5f43d4bb92210fed3f7e004b4fc922351e5ac85b2dec6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3eb21e963655849697171b654a45a798ca5544bd90c3d942e794db614cb28871
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BBF0C036545115BBDF221FE5DC08D993F66FB497A1F058090FA1DA6530CE328960DB91
                                                                                                                                                                                                                          Function 03952C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 03953508: EnterCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 03953512
                                                                                                                                                                                                                            • Part of subcall function 03953508: GetProcessHeap.KERNEL32(00000008,00000208,?,?,039551B7), ref: 0395351B
                                                                                                                                                                                                                            • Part of subcall function 03953508: RtlAllocateHeap.NTDLL(00000000,?,?,039551B7), ref: 03953522
                                                                                                                                                                                                                            • Part of subcall function 03953508: LeaveCriticalSection.KERNEL32(039584D4,?,?,039551B7), ref: 0395352B
                                                                                                                                                                                                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03952E3D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2988116312.0000000003950000.00000040.00001000.00020000.00000000.sdmp, Offset: 03950000, based on PE: true
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_3950000_2DF0.jbxd
                                                                                                                                                                                                                          Yara matches
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                                                                                                                                                                                          • String ID: x
                                                                                                                                                                                                                          • API String ID: 1990697408-2363233923
                                                                                                                                                                                                                          • Opcode ID: 4429037775c130750e19bc7accdae5069382771ea48f4bad6c28748f10561ba3
                                                                                                                                                                                                                          • Instruction ID: 36a47cc24211c8f39a65a28ee7b6f254a063000e38f5afc28180e37859258a46
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4429037775c130750e19bc7accdae5069382771ea48f4bad6c28748f10561ba3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4902AD75A04249EFCF01CFA8D984AAEBBF4BB09340F148895F895EB350D734AA81CF51
                                                                                                                                                                                                                          Function 00B6BBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __startOneArgErrorHandling.LIBCMT ref: 00B6BC8D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorHandling__start
                                                                                                                                                                                                                          • String ID: pow
                                                                                                                                                                                                                          • API String ID: 3213639722-2276729525
                                                                                                                                                                                                                          • Opcode ID: f2c96bb7b84434486badead1c45478970d9b7f5d4d1a6a48b2e93e296200452c
                                                                                                                                                                                                                          • Instruction ID: 639531d21e2c6f8d3033dd3d4500debc9a5f05b2a4f31e8a261d2f48684186de
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f2c96bb7b84434486badead1c45478970d9b7f5d4d1a6a48b2e93e296200452c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF513861A0410196CB117B14CD81B7A3FF4DB50B40F2049FDE4DAC72A9EF3D8DD5AA85
                                                                                                                                                                                                                          Function 00B62DB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00B62DEF
                                                                                                                                                                                                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00B62EA3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentImageNonwritable___except_validate_context_record
                                                                                                                                                                                                                          • String ID: csm
                                                                                                                                                                                                                          • API String ID: 3480331319-1018135373
                                                                                                                                                                                                                          • Opcode ID: 04dc450c987362a84218bd134da95cb4e89dba3e3fdc2b17ebed2958a47e7665
                                                                                                                                                                                                                          • Instruction ID: 63edacd8460d86374dbd915be95fe5f109904937a010416dc7b03bd1cfc86a1f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04dc450c987362a84218bd134da95cb4e89dba3e3fdc2b17ebed2958a47e7665
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB41A334E006099BDF10DF68C884A9EBBF5FF45714F1481E5E8186B3A2D73A9E15CB91
                                                                                                                                                                                                                          Function 00B63686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • EncodePointer.KERNEL32(00000000,?), ref: 00B636AB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EncodePointer
                                                                                                                                                                                                                          • String ID: MOC$RCC
                                                                                                                                                                                                                          • API String ID: 2118026453-2084237596
                                                                                                                                                                                                                          • Opcode ID: e02fe01222fcd9dc71d3b1c26b6799949b0493741f2bb9cc25003d64bb3648bc
                                                                                                                                                                                                                          • Instruction ID: a0d92fff74259a3de7a418385352dd8c915cd9809d7cc6adf3a49b2c1477c581
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e02fe01222fcd9dc71d3b1c26b6799949b0493741f2bb9cc25003d64bb3648bc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D34138B1900209AFDF15DF98CD81EAEBBF5EF48700F184199FA0967251D339AE50DB50
                                                                                                                                                                                                                          Function 00B5C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 00B5C9E8
                                                                                                                                                                                                                          • task.LIBCPMTD ref: 00B5C9F6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 00B5C92A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 00000009.00000002.2986837664.0000000000B01000.00000020.00000001.01000000.0000000C.sdmp, Offset: 00B00000, based on PE: true
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986814497.0000000000B00000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986886429.0000000000B79000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986927576.0000000000B8A000.00000004.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986954804.0000000000B8B000.00000040.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 00000009.00000002.2986983960.0000000000B8C000.00000002.00000001.01000000.0000000C.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_9_2_b00000_2DF0.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                                                                                                                                                                                                                          • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                                                                                                                                                                                                                          • API String ID: 605201214-2946796713
                                                                                                                                                                                                                          • Opcode ID: cc00c1c18aa83451d8692116bb6e81a18593325697619cb6074747d537746235
                                                                                                                                                                                                                          • Instruction ID: 552b89ba910540f784911a72ffee08eb667125c76ad1ee3348e0f347beb93a2a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc00c1c18aa83451d8692116bb6e81a18593325697619cb6074747d537746235
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E31E671D042199FCB04DF98C991BEEBBF6FB48301F2041A9E815B7291DB756A04CBA0

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:17.5%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:14%
                                                                                                                                                                                                                          Total number of Nodes:1368
                                                                                                                                                                                                                          Total number of Limit Nodes:27
                                                                                                                                                                                                                          execution_graph 3879 401ec5 3880 402c17 17 API calls 3879->3880 3881 401ecb 3880->3881 3882 402c17 17 API calls 3881->3882 3883 401ed7 3882->3883 3884 401ee3 ShowWindow 3883->3884 3885 401eee EnableWindow 3883->3885 3886 402ac5 3884->3886 3885->3886 3384 401746 3385 402c39 17 API calls 3384->3385 3386 40174d 3385->3386 3390 405f4a 3386->3390 3388 401754 3389 405f4a 2 API calls 3388->3389 3389->3388 3391 405f55 GetTickCount GetTempFileNameA 3390->3391 3392 405f82 3391->3392 3393 405f86 3391->3393 3392->3391 3392->3393 3393->3388 3887 401947 3888 402c39 17 API calls 3887->3888 3889 40194e lstrlenA 3888->3889 3890 402628 3889->3890 3894 401fcb 3895 402c39 17 API calls 3894->3895 3896 401fd2 3895->3896 3897 4066ff 2 API calls 3896->3897 3898 401fd8 3897->3898 3900 401fea 3898->3900 3901 4062e6 wsprintfA 3898->3901 3901->3900 3599 4034cc SetErrorMode GetVersionExA 3600 40351e GetVersionExA 3599->3600 3602 40355d 3599->3602 3601 40353a 3600->3601 3600->3602 3601->3602 3603 4035e1 3602->3603 3604 406794 5 API calls 3602->3604 3605 406726 3 API calls 3603->3605 3604->3603 3606 4035f7 lstrlenA 3605->3606 3606->3603 3607 403607 3606->3607 3608 406794 5 API calls 3607->3608 3609 40360e 3608->3609 3610 406794 5 API calls 3609->3610 3611 403615 3610->3611 3612 406794 5 API calls 3611->3612 3613 403621 #17 OleInitialize SHGetFileInfoA 3612->3613 3691 406388 lstrcpynA 3613->3691 3616 40366f GetCommandLineA 3692 406388 lstrcpynA 3616->3692 3618 403681 3619 405d45 CharNextA 3618->3619 3620 4036a8 CharNextA 3619->3620 3629 4036b7 3620->3629 3621 40377d 3622 403791 GetTempPathA 3621->3622 3693 40349b 3622->3693 3624 4037a9 3626 403803 DeleteFileA 3624->3626 3627 4037ad GetWindowsDirectoryA lstrcatA 3624->3627 3625 405d45 CharNextA 3625->3629 3703 402f5c GetTickCount GetModuleFileNameA 3626->3703 3630 40349b 12 API calls 3627->3630 3629->3621 3629->3625 3631 40377f 3629->3631 3633 4037c9 3630->3633 3790 406388 lstrcpynA 3631->3790 3632 403816 3634 4038ae ExitProcess OleUninitialize 3632->3634 3642 405d45 CharNextA 3632->3642 3673 40389b 3632->3673 3633->3626 3636 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3633->3636 3638 4038c5 3634->3638 3639 4039e8 3634->3639 3637 40349b 12 API calls 3636->3637 3640 4037fb 3637->3640 3643 405a9e MessageBoxIndirectA 3638->3643 3644 4039f0 GetCurrentProcess OpenProcessToken 3639->3644 3645 403a66 ExitProcess 3639->3645 3640->3626 3640->3634 3647 403830 3642->3647 3649 4038d2 ExitProcess 3643->3649 3650 403a36 3644->3650 3651 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3644->3651 3654 403875 3647->3654 3655 4038da 3647->3655 3652 406794 5 API calls 3650->3652 3651->3650 3653 403a3d 3652->3653 3656 403a52 ExitWindowsEx 3653->3656 3659 403a5f 3653->3659 3658 405e08 18 API calls 3654->3658 3657 405a09 5 API calls 3655->3657 3656->3645 3656->3659 3660 4038df lstrcatA 3657->3660 3661 403881 3658->3661 3795 40140b 3659->3795 3663 4038f0 lstrcatA 3660->3663 3664 4038fb lstrcatA lstrcmpiA 3660->3664 3661->3634 3791 406388 lstrcpynA 3661->3791 3663->3664 3664->3634 3666 403917 3664->3666 3668 403923 3666->3668 3669 40391c 3666->3669 3667 403890 3792 406388 lstrcpynA 3667->3792 3672 4059ec 2 API calls 3668->3672 3671 40596f 4 API calls 3669->3671 3674 403921 3671->3674 3675 403928 SetCurrentDirectoryA 3672->3675 3733 403b6e 3673->3733 3674->3675 3676 403943 3675->3676 3677 403938 3675->3677 3794 406388 lstrcpynA 3676->3794 3793 406388 lstrcpynA 3677->3793 3680 40641b 17 API calls 3681 403985 DeleteFileA 3680->3681 3682 403993 CopyFileA 3681->3682 3688 403950 3681->3688 3682->3688 3683 4039dc 3685 406161 36 API calls 3683->3685 3684 406161 36 API calls 3684->3688 3686 4039e3 3685->3686 3686->3634 3687 40641b 17 API calls 3687->3688 3688->3680 3688->3683 3688->3684 3688->3687 3689 405a21 2 API calls 3688->3689 3690 4039c7 CloseHandle 3688->3690 3689->3688 3690->3688 3691->3616 3692->3618 3694 406666 5 API calls 3693->3694 3696 4034a7 3694->3696 3695 4034b1 3695->3624 3696->3695 3697 405d1a 3 API calls 3696->3697 3698 4034b9 3697->3698 3699 4059ec 2 API calls 3698->3699 3700 4034bf 3699->3700 3701 405f4a 2 API calls 3700->3701 3702 4034ca 3701->3702 3702->3624 3798 405f1b GetFileAttributesA CreateFileA 3703->3798 3705 402f9f 3732 402fac 3705->3732 3799 406388 lstrcpynA 3705->3799 3707 402fc2 3708 405d61 2 API calls 3707->3708 3709 402fc8 3708->3709 3800 406388 lstrcpynA 3709->3800 3711 402fd3 GetFileSize 3712 4030cd 3711->3712 3731 402fea 3711->3731 3713 402ebd 32 API calls 3712->3713 3714 4030d6 3713->3714 3716 403112 GlobalAlloc 3714->3716 3714->3732 3802 403484 SetFilePointer 3714->3802 3715 40346e ReadFile 3715->3731 3717 403129 3716->3717 3722 405f4a 2 API calls 3717->3722 3719 40316a 3720 402ebd 32 API calls 3719->3720 3720->3732 3721 4030f3 3723 40346e ReadFile 3721->3723 3724 40313a CreateFileA 3722->3724 3725 4030fe 3723->3725 3727 403174 3724->3727 3724->3732 3725->3716 3725->3732 3726 402ebd 32 API calls 3726->3731 3801 403484 SetFilePointer 3727->3801 3729 403182 3730 4031fd 44 API calls 3729->3730 3730->3732 3731->3712 3731->3715 3731->3719 3731->3726 3731->3732 3732->3632 3734 406794 5 API calls 3733->3734 3735 403b82 3734->3735 3736 403b88 3735->3736 3737 403b9a 3735->3737 3811 4062e6 wsprintfA 3736->3811 3738 40626f 3 API calls 3737->3738 3739 403bc5 3738->3739 3740 403be3 lstrcatA 3739->3740 3742 40626f 3 API calls 3739->3742 3743 403b98 3740->3743 3742->3740 3803 403e33 3743->3803 3746 405e08 18 API calls 3747 403c15 3746->3747 3748 403c9e 3747->3748 3750 40626f 3 API calls 3747->3750 3749 405e08 18 API calls 3748->3749 3751 403ca4 3749->3751 3753 403c41 3750->3753 3752 403cb4 LoadImageA 3751->3752 3754 40641b 17 API calls 3751->3754 3755 403d5a 3752->3755 3756 403cdb RegisterClassA 3752->3756 3753->3748 3757 403c5d lstrlenA 3753->3757 3760 405d45 CharNextA 3753->3760 3754->3752 3759 40140b 2 API calls 3755->3759 3758 403d11 SystemParametersInfoA CreateWindowExA 3756->3758 3766 4038ab 3756->3766 3761 403c91 3757->3761 3762 403c6b lstrcmpiA 3757->3762 3758->3755 3763 403d60 3759->3763 3764 403c5b 3760->3764 3767 405d1a 3 API calls 3761->3767 3762->3761 3765 403c7b GetFileAttributesA 3762->3765 3763->3766 3769 403e33 18 API calls 3763->3769 3764->3757 3768 403c87 3765->3768 3766->3634 3770 403c97 3767->3770 3768->3761 3771 405d61 2 API calls 3768->3771 3772 403d71 3769->3772 3812 406388 lstrcpynA 3770->3812 3771->3761 3774 403e00 3772->3774 3775 403d7d ShowWindow 3772->3775 3813 40557b OleInitialize 3774->3813 3777 406726 3 API calls 3775->3777 3779 403d95 3777->3779 3778 403e06 3780 403e22 3778->3780 3781 403e0a 3778->3781 3782 403da3 GetClassInfoA 3779->3782 3784 406726 3 API calls 3779->3784 3783 40140b 2 API calls 3780->3783 3781->3766 3788 40140b 2 API calls 3781->3788 3785 403db7 GetClassInfoA RegisterClassA 3782->3785 3786 403dcd DialogBoxParamA 3782->3786 3783->3766 3784->3782 3785->3786 3787 40140b 2 API calls 3786->3787 3789 403df5 3787->3789 3788->3766 3789->3766 3790->3622 3791->3667 3792->3673 3793->3676 3794->3688 3796 401389 2 API calls 3795->3796 3797 401420 3796->3797 3797->3645 3798->3705 3799->3707 3800->3711 3801->3729 3802->3721 3804 403e47 3803->3804 3820 4062e6 wsprintfA 3804->3820 3806 403eb8 3821 403eec 3806->3821 3808 403bf3 3808->3746 3809 403ebd 3809->3808 3810 40641b 17 API calls 3809->3810 3810->3809 3811->3743 3812->3748 3824 404451 3813->3824 3815 40559e 3819 4055c5 3815->3819 3827 401389 3815->3827 3816 404451 SendMessageA 3817 4055d7 OleUninitialize 3816->3817 3817->3778 3819->3816 3820->3806 3822 40641b 17 API calls 3821->3822 3823 403efa SetWindowTextA 3822->3823 3823->3809 3825 404469 3824->3825 3826 40445a SendMessageA 3824->3826 3825->3815 3826->3825 3829 401390 3827->3829 3828 4013fe 3828->3815 3829->3828 3830 4013cb MulDiv SendMessageA 3829->3830 3830->3829 3902 404850 3903 404860 3902->3903 3904 404886 3902->3904 3909 404405 3903->3909 3912 40446c 3904->3912 3908 40486d SetDlgItemTextA 3908->3904 3910 40641b 17 API calls 3909->3910 3911 404410 SetDlgItemTextA 3910->3911 3911->3908 3913 40452f 3912->3913 3914 404484 GetWindowLongA 3912->3914 3914->3913 3915 404499 3914->3915 3915->3913 3916 4044c6 GetSysColor 3915->3916 3917 4044c9 3915->3917 3916->3917 3918 4044d9 SetBkMode 3917->3918 3919 4044cf SetTextColor 3917->3919 3920 4044f1 GetSysColor 3918->3920 3921 4044f7 3918->3921 3919->3918 3920->3921 3922 404508 3921->3922 3923 4044fe SetBkColor 3921->3923 3922->3913 3924 404522 CreateBrushIndirect 3922->3924 3925 40451b DeleteObject 3922->3925 3923->3922 3924->3913 3925->3924 3933 4014d6 3934 402c17 17 API calls 3933->3934 3935 4014dc Sleep 3934->3935 3937 402ac5 3935->3937 3485 401759 3486 402c39 17 API calls 3485->3486 3487 401760 3486->3487 3488 401786 3487->3488 3489 40177e 3487->3489 3525 406388 lstrcpynA 3488->3525 3524 406388 lstrcpynA 3489->3524 3492 401784 3496 406666 5 API calls 3492->3496 3493 401791 3494 405d1a 3 API calls 3493->3494 3495 401797 lstrcatA 3494->3495 3495->3492 3513 4017a3 3496->3513 3497 4066ff 2 API calls 3497->3513 3498 405ef6 2 API calls 3498->3513 3500 4017ba CompareFileTime 3500->3513 3501 40187e 3503 4054a9 24 API calls 3501->3503 3502 401855 3504 4054a9 24 API calls 3502->3504 3522 40186a 3502->3522 3506 401888 3503->3506 3504->3522 3505 406388 lstrcpynA 3505->3513 3507 4031fd 44 API calls 3506->3507 3508 40189b 3507->3508 3509 4018af SetFileTime 3508->3509 3510 4018c1 FindCloseChangeNotification 3508->3510 3509->3510 3512 4018d2 3510->3512 3510->3522 3511 40641b 17 API calls 3511->3513 3514 4018d7 3512->3514 3515 4018ea 3512->3515 3513->3497 3513->3498 3513->3500 3513->3501 3513->3502 3513->3505 3513->3511 3523 405f1b GetFileAttributesA CreateFileA 3513->3523 3526 405a9e 3513->3526 3516 40641b 17 API calls 3514->3516 3517 40641b 17 API calls 3515->3517 3519 4018df lstrcatA 3516->3519 3520 4018f2 3517->3520 3519->3520 3521 405a9e MessageBoxIndirectA 3520->3521 3521->3522 3523->3513 3524->3492 3525->3493 3527 405ab3 3526->3527 3528 405aff 3527->3528 3529 405ac7 MessageBoxIndirectA 3527->3529 3528->3513 3529->3528 3938 401659 3939 402c39 17 API calls 3938->3939 3940 40165f 3939->3940 3941 4066ff 2 API calls 3940->3941 3942 401665 3941->3942 3943 401959 3944 402c17 17 API calls 3943->3944 3945 401960 3944->3945 3946 402c17 17 API calls 3945->3946 3947 40196d 3946->3947 3948 402c39 17 API calls 3947->3948 3949 401984 lstrlenA 3948->3949 3951 401994 3949->3951 3950 4019d4 3951->3950 3955 406388 lstrcpynA 3951->3955 3953 4019c4 3953->3950 3954 4019c9 lstrlenA 3953->3954 3954->3950 3955->3953 3956 401a5e 3957 402c17 17 API calls 3956->3957 3958 401a67 3957->3958 3959 402c17 17 API calls 3958->3959 3960 401a0e 3959->3960 3961 401563 3962 402a42 3961->3962 3965 4062e6 wsprintfA 3962->3965 3964 402a47 3965->3964 3966 401b63 3967 402c39 17 API calls 3966->3967 3968 401b6a 3967->3968 3969 402c17 17 API calls 3968->3969 3970 401b73 wsprintfA 3969->3970 3971 402ac5 3970->3971 3972 401d65 3973 401d78 GetDlgItem 3972->3973 3974 401d6b 3972->3974 3976 401d72 3973->3976 3975 402c17 17 API calls 3974->3975 3975->3976 3977 401db9 GetClientRect LoadImageA SendMessageA 3976->3977 3979 402c39 17 API calls 3976->3979 3980 401e1a 3977->3980 3982 401e26 3977->3982 3979->3977 3981 401e1f DeleteObject 3980->3981 3980->3982 3981->3982 3983 402766 3984 40276c 3983->3984 3985 402774 FindClose 3984->3985 3986 402ac5 3984->3986 3985->3986 3987 4055e7 3988 405792 3987->3988 3989 405609 GetDlgItem GetDlgItem GetDlgItem 3987->3989 3991 4057c2 3988->3991 3992 40579a GetDlgItem CreateThread CloseHandle 3988->3992 4032 40443a SendMessageA 3989->4032 3994 4057f0 3991->3994 3995 405811 3991->3995 3996 4057d8 ShowWindow ShowWindow 3991->3996 3992->3991 3993 405679 4000 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 3993->4000 3997 405800 3994->3997 3998 405824 ShowWindow 3994->3998 4001 40584b 3994->4001 3999 40446c 8 API calls 3995->3999 4034 40443a SendMessageA 3996->4034 4035 4043de 3997->4035 4005 405844 3998->4005 4006 405836 3998->4006 4004 40581d 3999->4004 4007 4056d2 SendMessageA SendMessageA 4000->4007 4008 4056ee 4000->4008 4001->3995 4009 405858 SendMessageA 4001->4009 4011 4043de SendMessageA 4005->4011 4010 4054a9 24 API calls 4006->4010 4007->4008 4012 405701 4008->4012 4013 4056f3 SendMessageA 4008->4013 4009->4004 4014 405871 CreatePopupMenu 4009->4014 4010->4005 4011->4001 4016 404405 18 API calls 4012->4016 4013->4012 4015 40641b 17 API calls 4014->4015 4018 405881 AppendMenuA 4015->4018 4017 405711 4016->4017 4021 40571a ShowWindow 4017->4021 4022 40574e GetDlgItem SendMessageA 4017->4022 4019 4058b2 TrackPopupMenu 4018->4019 4020 40589f GetWindowRect 4018->4020 4019->4004 4023 4058ce 4019->4023 4020->4019 4024 405730 ShowWindow 4021->4024 4025 40573d 4021->4025 4022->4004 4026 405775 SendMessageA SendMessageA 4022->4026 4027 4058ed SendMessageA 4023->4027 4024->4025 4033 40443a SendMessageA 4025->4033 4026->4004 4027->4027 4028 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4027->4028 4030 40592c SendMessageA 4028->4030 4030->4030 4031 40594e GlobalUnlock SetClipboardData CloseClipboard 4030->4031 4031->4004 4032->3993 4033->4022 4034->3994 4036 4043e5 4035->4036 4037 4043eb SendMessageA 4035->4037 4036->4037 4037->3995 3394 4027e8 3395 402c39 17 API calls 3394->3395 3396 4027f4 3395->3396 3397 40280a 3396->3397 3399 402c39 17 API calls 3396->3399 3398 405ef6 2 API calls 3397->3398 3400 402810 3398->3400 3399->3397 3422 405f1b GetFileAttributesA CreateFileA 3400->3422 3402 40281d 3403 4028d9 3402->3403 3404 4028c1 3402->3404 3405 402838 GlobalAlloc 3402->3405 3406 4028e0 DeleteFileA 3403->3406 3407 4028f3 3403->3407 3409 4031fd 44 API calls 3404->3409 3405->3404 3408 402851 3405->3408 3406->3407 3423 403484 SetFilePointer 3408->3423 3411 4028ce FindCloseChangeNotification 3409->3411 3411->3403 3412 402857 3424 40346e 3412->3424 3415 402870 3427 4031fd 3415->3427 3416 4028aa 3417 405fc2 WriteFile 3416->3417 3419 4028b6 GlobalFree 3417->3419 3419->3404 3420 4028a1 GlobalFree 3420->3416 3421 40287d 3421->3420 3422->3402 3423->3412 3425 405f93 ReadFile 3424->3425 3426 402860 GlobalAlloc 3425->3426 3426->3415 3426->3416 3428 403228 3427->3428 3429 40320c SetFilePointer 3427->3429 3442 403305 GetTickCount 3428->3442 3429->3428 3432 405f93 ReadFile 3433 403248 3432->3433 3434 403305 42 API calls 3433->3434 3436 4032c5 3433->3436 3435 40325f 3434->3435 3435->3436 3437 4032cb ReadFile 3435->3437 3439 40326e 3435->3439 3436->3421 3437->3436 3439->3436 3440 405f93 ReadFile 3439->3440 3441 405fc2 WriteFile 3439->3441 3440->3439 3441->3439 3443 403333 3442->3443 3444 40345d 3442->3444 3455 403484 SetFilePointer 3443->3455 3445 402ebd 32 API calls 3444->3445 3451 40322f 3445->3451 3447 40333e SetFilePointer 3452 403363 3447->3452 3448 40346e ReadFile 3448->3452 3451->3432 3451->3436 3452->3448 3452->3451 3453 405fc2 WriteFile 3452->3453 3454 40343e SetFilePointer 3452->3454 3456 4068d9 3452->3456 3463 402ebd 3452->3463 3453->3452 3454->3444 3455->3447 3457 4068fe 3456->3457 3458 406906 3456->3458 3457->3452 3458->3457 3459 406996 GlobalAlloc 3458->3459 3460 40698d GlobalFree 3458->3460 3461 406a04 GlobalFree 3458->3461 3462 406a0d GlobalAlloc 3458->3462 3459->3457 3459->3458 3460->3459 3461->3462 3462->3457 3462->3458 3464 402ee3 3463->3464 3465 402ecb 3463->3465 3468 402ef3 GetTickCount 3464->3468 3469 402eeb 3464->3469 3466 402ed4 DestroyWindow 3465->3466 3467 402edb 3465->3467 3466->3467 3467->3452 3468->3467 3471 402f01 3468->3471 3478 4067d0 3469->3478 3472 402f36 CreateDialogParamA ShowWindow 3471->3472 3473 402f09 3471->3473 3472->3467 3473->3467 3482 402ea1 3473->3482 3475 402f17 wsprintfA 3476 4054a9 24 API calls 3475->3476 3477 402f34 3476->3477 3477->3467 3479 4067ed PeekMessageA 3478->3479 3480 4067e3 DispatchMessageA 3479->3480 3481 4067fd 3479->3481 3480->3479 3481->3467 3483 402eb0 3482->3483 3484 402eb2 MulDiv 3482->3484 3483->3484 3484->3475 4038 404be8 4039 404c14 4038->4039 4040 404bf8 4038->4040 4041 404c47 4039->4041 4042 404c1a SHGetPathFromIDListA 4039->4042 4049 405a82 GetDlgItemTextA 4040->4049 4045 404c2a 4042->4045 4048 404c31 SendMessageA 4042->4048 4044 404c05 SendMessageA 4044->4039 4046 40140b 2 API calls 4045->4046 4046->4048 4048->4041 4049->4044 4050 4023e8 4051 402c39 17 API calls 4050->4051 4052 4023f9 4051->4052 4053 402c39 17 API calls 4052->4053 4054 402402 4053->4054 4055 402c39 17 API calls 4054->4055 4056 40240c GetPrivateProfileStringA 4055->4056 4057 40166a 4058 402c39 17 API calls 4057->4058 4059 401671 4058->4059 4060 402c39 17 API calls 4059->4060 4061 40167a 4060->4061 4062 402c39 17 API calls 4061->4062 4063 401683 MoveFileA 4062->4063 4064 401696 4063->4064 4065 40168f 4063->4065 4067 4066ff 2 API calls 4064->4067 4069 4022ea 4064->4069 4066 401423 24 API calls 4065->4066 4066->4069 4068 4016a5 4067->4068 4068->4069 4070 406161 36 API calls 4068->4070 4070->4065 4078 4019ed 4079 402c39 17 API calls 4078->4079 4080 4019f4 4079->4080 4081 402c39 17 API calls 4080->4081 4082 4019fd 4081->4082 4083 401a04 lstrcmpiA 4082->4083 4084 401a16 lstrcmpA 4082->4084 4085 401a0a 4083->4085 4084->4085 4086 40156f 4087 401586 4086->4087 4088 40157f ShowWindow 4086->4088 4089 401594 ShowWindow 4087->4089 4090 402ac5 4087->4090 4088->4087 4089->4090 4091 404570 4093 404586 4091->4093 4094 404692 4091->4094 4092 404701 4095 4047cb 4092->4095 4097 40470b GetDlgItem 4092->4097 4096 404405 18 API calls 4093->4096 4094->4092 4094->4095 4102 4046d6 GetDlgItem SendMessageA 4094->4102 4101 40446c 8 API calls 4095->4101 4100 4045dc 4096->4100 4098 404721 4097->4098 4099 404789 4097->4099 4098->4099 4105 404747 SendMessageA LoadCursorA SetCursor 4098->4105 4099->4095 4106 40479b 4099->4106 4103 404405 18 API calls 4100->4103 4104 4047c6 4101->4104 4124 404427 EnableWindow 4102->4124 4108 4045e9 CheckDlgButton 4103->4108 4128 404814 4105->4128 4111 4047a1 SendMessageA 4106->4111 4112 4047b2 4106->4112 4122 404427 EnableWindow 4108->4122 4111->4112 4112->4104 4116 4047b8 SendMessageA 4112->4116 4113 4046fc 4125 4047f0 4113->4125 4114 404607 GetDlgItem 4123 40443a SendMessageA 4114->4123 4116->4104 4119 40461d SendMessageA 4120 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4119->4120 4121 40463b GetSysColor 4119->4121 4120->4104 4121->4120 4122->4114 4123->4119 4124->4113 4126 404803 SendMessageA 4125->4126 4127 4047fe 4125->4127 4126->4092 4127->4126 4131 405a64 ShellExecuteExA 4128->4131 4130 40477a LoadCursorA SetCursor 4130->4099 4131->4130 4132 402173 4133 402c39 17 API calls 4132->4133 4134 40217a 4133->4134 4135 402c39 17 API calls 4134->4135 4136 402184 4135->4136 4137 402c39 17 API calls 4136->4137 4138 40218e 4137->4138 4139 402c39 17 API calls 4138->4139 4140 40219b 4139->4140 4141 402c39 17 API calls 4140->4141 4142 4021a5 4141->4142 4143 4021e7 CoCreateInstance 4142->4143 4144 402c39 17 API calls 4142->4144 4145 402206 4143->4145 4149 4022b4 4143->4149 4144->4143 4148 402294 MultiByteToWideChar 4145->4148 4145->4149 4146 401423 24 API calls 4147 4022ea 4146->4147 4148->4149 4149->4146 4149->4147 4150 4022f3 4151 402c39 17 API calls 4150->4151 4152 4022f9 4151->4152 4153 402c39 17 API calls 4152->4153 4154 402302 4153->4154 4155 402c39 17 API calls 4154->4155 4156 40230b 4155->4156 4157 4066ff 2 API calls 4156->4157 4158 402314 4157->4158 4159 402325 lstrlenA lstrlenA 4158->4159 4163 402318 4158->4163 4161 4054a9 24 API calls 4159->4161 4160 4054a9 24 API calls 4164 402320 4160->4164 4162 402361 SHFileOperationA 4161->4162 4162->4163 4162->4164 4163->4160 4163->4164 4165 4014f4 SetForegroundWindow 4166 402ac5 4165->4166 4167 402375 4168 40237c 4167->4168 4171 40238f 4167->4171 4169 40641b 17 API calls 4168->4169 4170 402389 4169->4170 4172 405a9e MessageBoxIndirectA 4170->4172 4172->4171 4173 402675 4174 402c17 17 API calls 4173->4174 4178 40267f 4174->4178 4175 4026ed 4176 405f93 ReadFile 4176->4178 4177 4026ef 4182 4062e6 wsprintfA 4177->4182 4178->4175 4178->4176 4178->4177 4179 4026ff 4178->4179 4179->4175 4181 402715 SetFilePointer 4179->4181 4181->4175 4182->4175 4183 4029f6 4184 402a49 4183->4184 4185 4029fd 4183->4185 4186 406794 5 API calls 4184->4186 4188 402c17 17 API calls 4185->4188 4191 402a47 4185->4191 4187 402a50 4186->4187 4189 402c39 17 API calls 4187->4189 4190 402a0b 4188->4190 4192 402a59 4189->4192 4193 402c17 17 API calls 4190->4193 4192->4191 4201 4063db 4192->4201 4195 402a1a 4193->4195 4200 4062e6 wsprintfA 4195->4200 4196 402a67 4196->4191 4205 4063c5 4196->4205 4200->4191 4202 4063e6 4201->4202 4203 406409 IIDFromString 4202->4203 4204 406402 4202->4204 4203->4196 4204->4196 4208 4063aa WideCharToMultiByte 4205->4208 4207 402a88 CoTaskMemFree 4207->4191 4208->4207 4209 401ef9 4210 402c39 17 API calls 4209->4210 4211 401eff 4210->4211 4212 402c39 17 API calls 4211->4212 4213 401f08 4212->4213 4214 402c39 17 API calls 4213->4214 4215 401f11 4214->4215 4216 402c39 17 API calls 4215->4216 4217 401f1a 4216->4217 4218 401423 24 API calls 4217->4218 4219 401f21 4218->4219 4226 405a64 ShellExecuteExA 4219->4226 4221 401f5c 4222 406809 5 API calls 4221->4222 4224 4027c8 4221->4224 4223 401f76 CloseHandle 4222->4223 4223->4224 4226->4221 3534 401f7b 3535 402c39 17 API calls 3534->3535 3536 401f81 3535->3536 3537 4054a9 24 API calls 3536->3537 3538 401f8b 3537->3538 3549 405a21 CreateProcessA 3538->3549 3541 401fb2 CloseHandle 3545 4027c8 3541->3545 3544 401fa6 3546 401fb4 3544->3546 3547 401fab 3544->3547 3546->3541 3557 4062e6 wsprintfA 3547->3557 3550 401f91 3549->3550 3551 405a54 CloseHandle 3549->3551 3550->3541 3550->3545 3552 406809 WaitForSingleObject 3550->3552 3551->3550 3553 406823 3552->3553 3554 406835 GetExitCodeProcess 3553->3554 3555 4067d0 2 API calls 3553->3555 3554->3544 3556 40682a WaitForSingleObject 3555->3556 3556->3553 3557->3541 4234 401ffb 4235 402c39 17 API calls 4234->4235 4236 402002 4235->4236 4237 406794 5 API calls 4236->4237 4238 402011 4237->4238 4239 402029 GlobalAlloc 4238->4239 4248 402099 4238->4248 4240 40203d 4239->4240 4239->4248 4241 406794 5 API calls 4240->4241 4242 402044 4241->4242 4243 406794 5 API calls 4242->4243 4244 40204e 4243->4244 4244->4248 4249 4062e6 wsprintfA 4244->4249 4246 402089 4250 4062e6 wsprintfA 4246->4250 4249->4246 4250->4248 3831 403a7c 3832 403a97 3831->3832 3833 403a8d CloseHandle 3831->3833 3834 403aa1 CloseHandle 3832->3834 3835 403aab 3832->3835 3833->3832 3834->3835 3840 403ad9 3835->3840 3838 405b4a 67 API calls 3839 403abc 3838->3839 3841 403ae7 3840->3841 3842 403ab0 3841->3842 3843 403aec FreeLibrary GlobalFree 3841->3843 3842->3838 3843->3842 3843->3843 4251 4018fd 4252 401934 4251->4252 4253 402c39 17 API calls 4252->4253 4254 401939 4253->4254 4255 405b4a 67 API calls 4254->4255 4256 401942 4255->4256 3844 40247e 3845 402c39 17 API calls 3844->3845 3846 402490 3845->3846 3847 402c39 17 API calls 3846->3847 3848 40249a 3847->3848 3861 402cc9 3848->3861 3851 4024cf 3855 4024db 3851->3855 3865 402c17 3851->3865 3852 402c39 17 API calls 3856 4024c8 lstrlenA 3852->3856 3853 402ac5 3854 4024fd RegSetValueExA 3859 402513 RegCloseKey 3854->3859 3855->3854 3858 4031fd 44 API calls 3855->3858 3856->3851 3858->3854 3859->3853 3862 402ce4 3861->3862 3868 40623c 3862->3868 3866 40641b 17 API calls 3865->3866 3867 402c2c 3866->3867 3867->3855 3869 40624b 3868->3869 3870 4024aa 3869->3870 3871 406256 RegCreateKeyExA 3869->3871 3870->3851 3870->3852 3870->3853 3871->3870 4257 401cfe 4258 402c17 17 API calls 4257->4258 4259 401d04 IsWindow 4258->4259 4260 401a0e 4259->4260 4261 401000 4262 401037 BeginPaint GetClientRect 4261->4262 4263 40100c DefWindowProcA 4261->4263 4265 4010f3 4262->4265 4266 401179 4263->4266 4267 401073 CreateBrushIndirect FillRect DeleteObject 4265->4267 4268 4010fc 4265->4268 4267->4265 4269 401102 CreateFontIndirectA 4268->4269 4270 401167 EndPaint 4268->4270 4269->4270 4271 401112 6 API calls 4269->4271 4270->4266 4271->4270 4272 401900 4273 402c39 17 API calls 4272->4273 4274 401907 4273->4274 4275 405a9e MessageBoxIndirectA 4274->4275 4276 401910 4275->4276 4277 402780 4278 402786 4277->4278 4279 40278a FindNextFileA 4278->4279 4282 40279c 4278->4282 4280 4027db 4279->4280 4279->4282 4283 406388 lstrcpynA 4280->4283 4283->4282 4284 401502 4285 40150a 4284->4285 4287 40151d 4284->4287 4286 402c17 17 API calls 4285->4286 4286->4287 4288 401b87 4289 401b94 4288->4289 4290 401bd8 4288->4290 4291 401c1c 4289->4291 4298 401bab 4289->4298 4292 401c01 GlobalAlloc 4290->4292 4293 401bdc 4290->4293 4295 40641b 17 API calls 4291->4295 4304 40238f 4291->4304 4294 40641b 17 API calls 4292->4294 4293->4304 4309 406388 lstrcpynA 4293->4309 4294->4291 4297 402389 4295->4297 4302 405a9e MessageBoxIndirectA 4297->4302 4307 406388 lstrcpynA 4298->4307 4299 401bee GlobalFree 4299->4304 4301 401bba 4308 406388 lstrcpynA 4301->4308 4302->4304 4305 401bc9 4310 406388 lstrcpynA 4305->4310 4307->4301 4308->4305 4309->4299 4310->4304 4311 406a88 4313 40690c 4311->4313 4312 407277 4313->4312 4314 406996 GlobalAlloc 4313->4314 4315 40698d GlobalFree 4313->4315 4316 406a04 GlobalFree 4313->4316 4317 406a0d GlobalAlloc 4313->4317 4314->4312 4314->4313 4315->4314 4316->4317 4317->4312 4317->4313 3530 401389 3532 401390 3530->3532 3531 4013fe 3532->3531 3533 4013cb MulDiv SendMessageA 3532->3533 3533->3532 4318 404e0a GetDlgItem GetDlgItem 4319 404e60 7 API calls 4318->4319 4325 405087 4318->4325 4320 404f08 DeleteObject 4319->4320 4321 404efc SendMessageA 4319->4321 4322 404f13 4320->4322 4321->4320 4323 404f4a 4322->4323 4326 40641b 17 API calls 4322->4326 4327 404405 18 API calls 4323->4327 4324 405169 4328 405215 4324->4328 4333 40507a 4324->4333 4338 4051c2 SendMessageA 4324->4338 4325->4324 4352 4050f6 4325->4352 4372 404d58 SendMessageA 4325->4372 4331 404f2c SendMessageA SendMessageA 4326->4331 4332 404f5e 4327->4332 4329 405227 4328->4329 4330 40521f SendMessageA 4328->4330 4340 405240 4329->4340 4341 405239 ImageList_Destroy 4329->4341 4349 405250 4329->4349 4330->4329 4331->4322 4337 404405 18 API calls 4332->4337 4335 40446c 8 API calls 4333->4335 4334 40515b SendMessageA 4334->4324 4339 405416 4335->4339 4353 404f6f 4337->4353 4338->4333 4343 4051d7 SendMessageA 4338->4343 4344 405249 GlobalFree 4340->4344 4340->4349 4341->4340 4342 4053ca 4342->4333 4347 4053dc ShowWindow GetDlgItem ShowWindow 4342->4347 4346 4051ea 4343->4346 4344->4349 4345 405049 GetWindowLongA SetWindowLongA 4348 405062 4345->4348 4358 4051fb SendMessageA 4346->4358 4347->4333 4350 405067 ShowWindow 4348->4350 4351 40507f 4348->4351 4349->4342 4365 40528b 4349->4365 4377 404dd8 4349->4377 4370 40443a SendMessageA 4350->4370 4371 40443a SendMessageA 4351->4371 4352->4324 4352->4334 4353->4345 4354 405044 4353->4354 4357 404fc1 SendMessageA 4353->4357 4359 405013 SendMessageA 4353->4359 4360 404fff SendMessageA 4353->4360 4354->4345 4354->4348 4357->4353 4358->4328 4359->4353 4360->4353 4362 405395 4363 4053a0 InvalidateRect 4362->4363 4366 4053ac 4362->4366 4363->4366 4364 4052b9 SendMessageA 4368 4052cf 4364->4368 4365->4364 4365->4368 4366->4342 4386 404d13 4366->4386 4367 405343 SendMessageA SendMessageA 4367->4368 4368->4362 4368->4367 4370->4333 4371->4325 4373 404db7 SendMessageA 4372->4373 4374 404d7b GetMessagePos ScreenToClient SendMessageA 4372->4374 4376 404daf 4373->4376 4375 404db4 4374->4375 4374->4376 4375->4373 4376->4352 4389 406388 lstrcpynA 4377->4389 4379 404deb 4390 4062e6 wsprintfA 4379->4390 4381 404df5 4382 40140b 2 API calls 4381->4382 4383 404dfe 4382->4383 4391 406388 lstrcpynA 4383->4391 4385 404e05 4385->4365 4392 404c4e 4386->4392 4388 404d28 4388->4342 4389->4379 4390->4381 4391->4385 4393 404c64 4392->4393 4394 40641b 17 API calls 4393->4394 4395 404cc8 4394->4395 4396 40641b 17 API calls 4395->4396 4397 404cd3 4396->4397 4398 40641b 17 API calls 4397->4398 4399 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4398->4399 4399->4388 4400 40298a 4401 402c17 17 API calls 4400->4401 4402 402990 4401->4402 4403 4027c8 4402->4403 4404 40641b 17 API calls 4402->4404 4404->4403 4405 403f0b 4406 403f23 4405->4406 4407 404084 4405->4407 4406->4407 4408 403f2f 4406->4408 4409 4040d5 4407->4409 4410 404095 GetDlgItem GetDlgItem 4407->4410 4412 403f3a SetWindowPos 4408->4412 4413 403f4d 4408->4413 4411 40412f 4409->4411 4422 401389 2 API calls 4409->4422 4414 404405 18 API calls 4410->4414 4415 404451 SendMessageA 4411->4415 4423 40407f 4411->4423 4412->4413 4416 403f56 ShowWindow 4413->4416 4417 403f98 4413->4417 4418 4040bf SetClassLongA 4414->4418 4445 404141 4415->4445 4424 404042 4416->4424 4425 403f76 GetWindowLongA 4416->4425 4419 403fa0 DestroyWindow 4417->4419 4420 403fb7 4417->4420 4421 40140b 2 API calls 4418->4421 4426 40438e 4419->4426 4427 403fbc SetWindowLongA 4420->4427 4428 403fcd 4420->4428 4421->4409 4429 404107 4422->4429 4430 40446c 8 API calls 4424->4430 4425->4424 4431 403f8f ShowWindow 4425->4431 4426->4423 4438 4043bf ShowWindow 4426->4438 4427->4423 4428->4424 4432 403fd9 GetDlgItem 4428->4432 4429->4411 4433 40410b SendMessageA 4429->4433 4430->4423 4431->4417 4436 404007 4432->4436 4437 403fea SendMessageA IsWindowEnabled 4432->4437 4433->4423 4434 40140b 2 API calls 4434->4445 4435 404390 DestroyWindow EndDialog 4435->4426 4440 404014 4436->4440 4443 40405b SendMessageA 4436->4443 4444 404027 4436->4444 4450 40400c 4436->4450 4437->4423 4437->4436 4438->4423 4439 40641b 17 API calls 4439->4445 4440->4443 4440->4450 4441 4043de SendMessageA 4441->4424 4442 404405 18 API calls 4442->4445 4443->4424 4446 404044 4444->4446 4447 40402f 4444->4447 4445->4423 4445->4434 4445->4435 4445->4439 4445->4442 4451 404405 18 API calls 4445->4451 4467 4042d0 DestroyWindow 4445->4467 4448 40140b 2 API calls 4446->4448 4449 40140b 2 API calls 4447->4449 4448->4450 4449->4450 4450->4424 4450->4441 4452 4041bc GetDlgItem 4451->4452 4453 4041d1 4452->4453 4454 4041d9 ShowWindow EnableWindow 4452->4454 4453->4454 4476 404427 EnableWindow 4454->4476 4456 404203 EnableWindow 4461 404217 4456->4461 4457 40421c GetSystemMenu EnableMenuItem SendMessageA 4458 40424c SendMessageA 4457->4458 4457->4461 4458->4461 4460 403eec 18 API calls 4460->4461 4461->4457 4461->4460 4477 40443a SendMessageA 4461->4477 4478 406388 lstrcpynA 4461->4478 4463 40427b lstrlenA 4464 40641b 17 API calls 4463->4464 4465 40428c SetWindowTextA 4464->4465 4466 401389 2 API calls 4465->4466 4466->4445 4467->4426 4468 4042ea CreateDialogParamA 4467->4468 4468->4426 4469 40431d 4468->4469 4470 404405 18 API calls 4469->4470 4471 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4470->4471 4472 401389 2 API calls 4471->4472 4473 40436e 4472->4473 4473->4423 4474 404376 ShowWindow 4473->4474 4475 404451 SendMessageA 4474->4475 4475->4426 4476->4456 4477->4461 4478->4463 4479 40260c 4480 402c39 17 API calls 4479->4480 4481 402613 4480->4481 4484 405f1b GetFileAttributesA CreateFileA 4481->4484 4483 40261f 4484->4483 4485 401490 4486 4054a9 24 API calls 4485->4486 4487 401497 4486->4487 4488 402590 4498 402c79 4488->4498 4491 402c17 17 API calls 4492 4025a3 4491->4492 4493 4025ca RegEnumValueA 4492->4493 4494 4025be RegEnumKeyA 4492->4494 4496 4027c8 4492->4496 4495 4025df RegCloseKey 4493->4495 4494->4495 4495->4496 4499 402c39 17 API calls 4498->4499 4500 402c90 4499->4500 4501 40620e RegOpenKeyExA 4500->4501 4502 40259a 4501->4502 4502->4491 4510 404897 4511 4048c3 4510->4511 4512 4048d4 4510->4512 4571 405a82 GetDlgItemTextA 4511->4571 4513 4048e0 GetDlgItem 4512->4513 4521 40493f 4512->4521 4515 4048f4 4513->4515 4519 404908 SetWindowTextA 4515->4519 4524 405db3 4 API calls 4515->4524 4516 404a23 4520 404bcd 4516->4520 4573 405a82 GetDlgItemTextA 4516->4573 4517 4048ce 4518 406666 5 API calls 4517->4518 4518->4512 4525 404405 18 API calls 4519->4525 4523 40446c 8 API calls 4520->4523 4521->4516 4521->4520 4526 40641b 17 API calls 4521->4526 4528 404be1 4523->4528 4529 4048fe 4524->4529 4530 404924 4525->4530 4531 4049b3 SHBrowseForFolderA 4526->4531 4527 404a53 4532 405e08 18 API calls 4527->4532 4529->4519 4536 405d1a 3 API calls 4529->4536 4533 404405 18 API calls 4530->4533 4531->4516 4534 4049cb CoTaskMemFree 4531->4534 4535 404a59 4532->4535 4537 404932 4533->4537 4538 405d1a 3 API calls 4534->4538 4574 406388 lstrcpynA 4535->4574 4536->4519 4572 40443a SendMessageA 4537->4572 4540 4049d8 4538->4540 4544 404a0f SetDlgItemTextA 4540->4544 4547 40641b 17 API calls 4540->4547 4542 404a70 4546 406794 5 API calls 4542->4546 4543 404938 4545 406794 5 API calls 4543->4545 4544->4516 4545->4521 4553 404a77 4546->4553 4548 4049f7 lstrcmpiA 4547->4548 4548->4544 4550 404a08 lstrcatA 4548->4550 4549 404ab3 4575 406388 lstrcpynA 4549->4575 4550->4544 4552 404aba 4554 405db3 4 API calls 4552->4554 4553->4549 4558 405d61 2 API calls 4553->4558 4559 404b0b 4553->4559 4555 404ac0 GetDiskFreeSpaceA 4554->4555 4557 404ae4 MulDiv 4555->4557 4555->4559 4557->4559 4558->4553 4560 404b7c 4559->4560 4562 404d13 20 API calls 4559->4562 4561 404b9f 4560->4561 4564 40140b 2 API calls 4560->4564 4576 404427 EnableWindow 4561->4576 4563 404b69 4562->4563 4565 404b7e SetDlgItemTextA 4563->4565 4566 404b6e 4563->4566 4564->4561 4565->4560 4568 404c4e 20 API calls 4566->4568 4568->4560 4569 404bbb 4569->4520 4570 4047f0 SendMessageA 4569->4570 4570->4520 4571->4517 4572->4543 4573->4527 4574->4542 4575->4552 4576->4569 4577 40541d 4578 405441 4577->4578 4579 40542d 4577->4579 4581 405449 IsWindowVisible 4578->4581 4587 405460 4578->4587 4580 405433 4579->4580 4589 40548a 4579->4589 4583 404451 SendMessageA 4580->4583 4584 405456 4581->4584 4581->4589 4582 40548f CallWindowProcA 4585 40543d 4582->4585 4583->4585 4586 404d58 5 API calls 4584->4586 4586->4587 4587->4582 4588 404dd8 4 API calls 4587->4588 4588->4589 4589->4582 4590 40149d 4591 4014ab PostQuitMessage 4590->4591 4592 40238f 4590->4592 4591->4592 4593 40159d 4594 402c39 17 API calls 4593->4594 4595 4015a4 SetFileAttributesA 4594->4595 4596 4015b6 4595->4596 4597 401a1e 4598 402c39 17 API calls 4597->4598 4599 401a27 ExpandEnvironmentStringsA 4598->4599 4600 401a3b 4599->4600 4602 401a4e 4599->4602 4601 401a40 lstrcmpA 4600->4601 4600->4602 4601->4602 4603 40251e 4604 402c79 17 API calls 4603->4604 4605 402528 4604->4605 4606 402c39 17 API calls 4605->4606 4607 402531 4606->4607 4608 4027c8 4607->4608 4609 40253b RegQueryValueExA 4607->4609 4610 40255b 4609->4610 4613 402561 RegCloseKey 4609->4613 4610->4613 4614 4062e6 wsprintfA 4610->4614 4613->4608 4614->4613 4620 40171f 4621 402c39 17 API calls 4620->4621 4622 401726 SearchPathA 4621->4622 4623 401741 4622->4623 4624 401d1f 4625 402c17 17 API calls 4624->4625 4626 401d26 4625->4626 4627 402c17 17 API calls 4626->4627 4628 401d32 GetDlgItem 4627->4628 4629 402628 4628->4629 4630 402aa0 SendMessageA 4631 402ac5 4630->4631 4632 402aba InvalidateRect 4630->4632 4632->4631 4633 4023a4 4634 4023b2 4633->4634 4635 4023ac 4633->4635 4637 402c39 17 API calls 4634->4637 4639 4023c2 4634->4639 4636 402c39 17 API calls 4635->4636 4636->4634 4637->4639 4638 4023d0 4641 402c39 17 API calls 4638->4641 4639->4638 4640 402c39 17 API calls 4639->4640 4640->4638 4642 4023d9 WritePrivateProfileStringA 4641->4642 3363 4020a5 3364 4020b7 3363->3364 3365 402165 3363->3365 3366 402c39 17 API calls 3364->3366 3368 401423 24 API calls 3365->3368 3367 4020be 3366->3367 3369 402c39 17 API calls 3367->3369 3374 4022ea 3368->3374 3370 4020c7 3369->3370 3371 4020dc LoadLibraryExA 3370->3371 3372 4020cf GetModuleHandleA 3370->3372 3371->3365 3373 4020ec GetProcAddress 3371->3373 3372->3371 3372->3373 3375 402138 3373->3375 3376 4020fb 3373->3376 3377 4054a9 24 API calls 3375->3377 3379 40210b 3376->3379 3381 401423 3376->3381 3377->3379 3379->3374 3380 402159 FreeLibrary 3379->3380 3380->3374 3382 4054a9 24 API calls 3381->3382 3383 401431 3382->3383 3383->3379 4643 402e25 4644 402e34 SetTimer 4643->4644 4645 402e4d 4643->4645 4644->4645 4646 402e9b 4645->4646 4647 402ea1 MulDiv 4645->4647 4648 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4647->4648 4648->4646 4657 402429 4658 402430 4657->4658 4659 40245b 4657->4659 4660 402c79 17 API calls 4658->4660 4661 402c39 17 API calls 4659->4661 4662 402437 4660->4662 4663 402462 4661->4663 4665 402c39 17 API calls 4662->4665 4666 40246f 4662->4666 4668 402cf7 4663->4668 4667 402448 RegDeleteValueA RegCloseKey 4665->4667 4667->4666 4669 402d03 4668->4669 4670 402d0a 4668->4670 4669->4666 4670->4669 4672 402d3b 4670->4672 4673 40620e RegOpenKeyExA 4672->4673 4674 402d69 4673->4674 4675 402d79 RegEnumValueA 4674->4675 4676 402d9c 4674->4676 4683 402e13 4674->4683 4675->4676 4677 402e03 RegCloseKey 4675->4677 4676->4677 4678 402dd8 RegEnumKeyA 4676->4678 4679 402de1 RegCloseKey 4676->4679 4681 402d3b 6 API calls 4676->4681 4677->4683 4678->4676 4678->4679 4680 406794 5 API calls 4679->4680 4682 402df1 4680->4682 4681->4676 4682->4683 4684 402df5 RegDeleteKeyA 4682->4684 4683->4669 4684->4683 4685 4027aa 4686 402c39 17 API calls 4685->4686 4687 4027b1 FindFirstFileA 4686->4687 4688 4027d4 4687->4688 4689 4027c4 4687->4689 4690 4027db 4688->4690 4693 4062e6 wsprintfA 4688->4693 4694 406388 lstrcpynA 4690->4694 4693->4690 4694->4689 4695 403b2c 4696 403b37 4695->4696 4697 403b3b 4696->4697 4698 403b3e GlobalAlloc 4696->4698 4698->4697 4699 401c2e 4700 402c17 17 API calls 4699->4700 4701 401c35 4700->4701 4702 402c17 17 API calls 4701->4702 4703 401c42 4702->4703 4704 402c39 17 API calls 4703->4704 4705 401c57 4703->4705 4704->4705 4706 401c67 4705->4706 4707 402c39 17 API calls 4705->4707 4708 401c72 4706->4708 4709 401cbe 4706->4709 4707->4706 4711 402c17 17 API calls 4708->4711 4710 402c39 17 API calls 4709->4710 4712 401cc3 4710->4712 4713 401c77 4711->4713 4714 402c39 17 API calls 4712->4714 4715 402c17 17 API calls 4713->4715 4716 401ccc FindWindowExA 4714->4716 4717 401c83 4715->4717 4720 401cea 4716->4720 4718 401c90 SendMessageTimeoutA 4717->4718 4719 401cae SendMessageA 4717->4719 4718->4720 4719->4720 4721 40262e 4722 402633 4721->4722 4723 402647 4721->4723 4724 402c17 17 API calls 4722->4724 4725 402c39 17 API calls 4723->4725 4727 40263c 4724->4727 4726 40264e lstrlenA 4725->4726 4726->4727 4728 402670 4727->4728 4729 405fc2 WriteFile 4727->4729 4729->4728 3175 401932 3176 401934 3175->3176 3181 402c39 3176->3181 3182 402c45 3181->3182 3224 40641b 3182->3224 3185 401939 3187 405b4a 3185->3187 3266 405e08 3187->3266 3190 405b72 DeleteFileA 3220 401942 3190->3220 3191 405b89 3192 405cb7 3191->3192 3280 406388 lstrcpynA 3191->3280 3192->3220 3309 4066ff FindFirstFileA 3192->3309 3194 405baf 3195 405bc2 3194->3195 3196 405bb5 lstrcatA 3194->3196 3281 405d61 lstrlenA 3195->3281 3198 405bc8 3196->3198 3201 405bd6 lstrcatA 3198->3201 3202 405be1 lstrlenA FindFirstFileA 3198->3202 3201->3202 3202->3192 3210 405c05 3202->3210 3205 405d45 CharNextA 3205->3210 3206 405b02 5 API calls 3207 405cf1 3206->3207 3208 405cf5 3207->3208 3209 405d0b 3207->3209 3215 4054a9 24 API calls 3208->3215 3208->3220 3213 4054a9 24 API calls 3209->3213 3210->3205 3211 405c96 FindNextFileA 3210->3211 3219 405b4a 60 API calls 3210->3219 3221 4054a9 24 API calls 3210->3221 3285 406388 lstrcpynA 3210->3285 3286 405b02 3210->3286 3294 4054a9 3210->3294 3305 406161 MoveFileExA 3210->3305 3211->3210 3214 405cae FindClose 3211->3214 3213->3220 3214->3192 3216 405d02 3215->3216 3217 406161 36 API calls 3216->3217 3217->3220 3219->3210 3221->3211 3228 406428 3224->3228 3225 40664d 3226 402c66 3225->3226 3257 406388 lstrcpynA 3225->3257 3226->3185 3241 406666 3226->3241 3228->3225 3229 406627 lstrlenA 3228->3229 3232 40641b 10 API calls 3228->3232 3234 406543 GetSystemDirectoryA 3228->3234 3235 406556 GetWindowsDirectoryA 3228->3235 3236 406666 5 API calls 3228->3236 3237 40658a SHGetSpecialFolderLocation 3228->3237 3238 40641b 10 API calls 3228->3238 3239 4065d0 lstrcatA 3228->3239 3250 40626f 3228->3250 3255 4062e6 wsprintfA 3228->3255 3256 406388 lstrcpynA 3228->3256 3229->3228 3232->3229 3234->3228 3235->3228 3236->3228 3237->3228 3240 4065a2 SHGetPathFromIDListA CoTaskMemFree 3237->3240 3238->3228 3239->3228 3240->3228 3248 406672 3241->3248 3242 4066da 3243 4066de CharPrevA 3242->3243 3246 4066f9 3242->3246 3243->3242 3244 4066cf CharNextA 3244->3242 3244->3248 3246->3185 3247 4066bd CharNextA 3247->3248 3248->3242 3248->3244 3248->3247 3249 4066ca CharNextA 3248->3249 3262 405d45 3248->3262 3249->3244 3258 40620e 3250->3258 3253 4062a3 RegQueryValueExA RegCloseKey 3254 4062d2 3253->3254 3254->3228 3255->3228 3256->3228 3257->3226 3259 40621d 3258->3259 3260 406221 3259->3260 3261 406226 RegOpenKeyExA 3259->3261 3260->3253 3260->3254 3261->3260 3263 405d4b 3262->3263 3264 405d5e 3263->3264 3265 405d51 CharNextA 3263->3265 3264->3248 3265->3263 3315 406388 lstrcpynA 3266->3315 3268 405e19 3316 405db3 CharNextA CharNextA 3268->3316 3271 405b6a 3271->3190 3271->3191 3272 406666 5 API calls 3278 405e2f 3272->3278 3273 405e5a lstrlenA 3274 405e65 3273->3274 3273->3278 3276 405d1a 3 API calls 3274->3276 3275 4066ff 2 API calls 3275->3278 3277 405e6a GetFileAttributesA 3276->3277 3277->3271 3278->3271 3278->3273 3278->3275 3279 405d61 2 API calls 3278->3279 3279->3273 3280->3194 3282 405d6e 3281->3282 3283 405d73 CharPrevA 3282->3283 3284 405d7f 3282->3284 3283->3282 3283->3284 3284->3198 3285->3210 3322 405ef6 GetFileAttributesA 3286->3322 3289 405b2f 3289->3210 3290 405b25 DeleteFileA 3292 405b2b 3290->3292 3291 405b1d RemoveDirectoryA 3291->3292 3292->3289 3293 405b3b SetFileAttributesA 3292->3293 3293->3289 3295 4054c4 3294->3295 3304 405567 3294->3304 3296 4054e1 lstrlenA 3295->3296 3297 40641b 17 API calls 3295->3297 3298 40550a 3296->3298 3299 4054ef lstrlenA 3296->3299 3297->3296 3301 405510 SetWindowTextA 3298->3301 3302 40551d 3298->3302 3300 405501 lstrcatA 3299->3300 3299->3304 3300->3298 3301->3302 3303 405523 SendMessageA SendMessageA SendMessageA 3302->3303 3302->3304 3303->3304 3304->3210 3306 406182 3305->3306 3307 406175 3305->3307 3306->3210 3325 405ff1 3307->3325 3310 405cdb 3309->3310 3311 406715 FindClose 3309->3311 3310->3220 3312 405d1a lstrlenA CharPrevA 3310->3312 3311->3310 3313 405d34 lstrcatA 3312->3313 3314 405ce5 3312->3314 3313->3314 3314->3206 3315->3268 3317 405dde 3316->3317 3318 405dce 3316->3318 3320 405d45 CharNextA 3317->3320 3321 405dfe 3317->3321 3318->3317 3319 405dd9 CharNextA 3318->3319 3319->3321 3320->3317 3321->3271 3321->3272 3323 405b0e 3322->3323 3324 405f08 SetFileAttributesA 3322->3324 3323->3289 3323->3290 3323->3291 3324->3323 3326 406017 3325->3326 3327 40603d GetShortPathNameA 3325->3327 3352 405f1b GetFileAttributesA CreateFileA 3326->3352 3329 406052 3327->3329 3330 40615c 3327->3330 3329->3330 3332 40605a wsprintfA 3329->3332 3330->3306 3331 406021 CloseHandle GetShortPathNameA 3331->3330 3333 406035 3331->3333 3334 40641b 17 API calls 3332->3334 3333->3327 3333->3330 3335 406082 3334->3335 3353 405f1b GetFileAttributesA CreateFileA 3335->3353 3337 40608f 3337->3330 3338 40609e GetFileSize GlobalAlloc 3337->3338 3339 4060c0 3338->3339 3340 406155 CloseHandle 3338->3340 3354 405f93 ReadFile 3339->3354 3340->3330 3345 4060f3 3347 405e80 4 API calls 3345->3347 3346 4060df lstrcpyA 3348 406101 3346->3348 3347->3348 3349 406138 SetFilePointer 3348->3349 3361 405fc2 WriteFile 3349->3361 3352->3331 3353->3337 3355 405fb1 3354->3355 3355->3340 3356 405e80 lstrlenA 3355->3356 3357 405ec1 lstrlenA 3356->3357 3358 405ec9 3357->3358 3359 405e9a lstrcmpiA 3357->3359 3358->3345 3358->3346 3359->3358 3360 405eb8 CharNextA 3359->3360 3360->3357 3362 405fe0 GlobalFree 3361->3362 3362->3340 4730 402733 4731 40273a 4730->4731 4734 402a47 4730->4734 4732 402c17 17 API calls 4731->4732 4733 402741 4732->4733 4735 402750 SetFilePointer 4733->4735 4735->4734 4736 402760 4735->4736 4738 4062e6 wsprintfA 4736->4738 4738->4734 4739 401e35 GetDC 4740 402c17 17 API calls 4739->4740 4741 401e47 GetDeviceCaps MulDiv ReleaseDC 4740->4741 4742 402c17 17 API calls 4741->4742 4743 401e78 4742->4743 4744 40641b 17 API calls 4743->4744 4745 401eb5 CreateFontIndirectA 4744->4745 4746 402628 4745->4746 4747 4014b7 4748 4014bd 4747->4748 4749 401389 2 API calls 4748->4749 4750 4014c5 4749->4750 3558 4015bb 3559 402c39 17 API calls 3558->3559 3560 4015c2 3559->3560 3561 405db3 4 API calls 3560->3561 3562 4015ca 3561->3562 3563 401624 3562->3563 3564 405d45 CharNextA 3562->3564 3574 40160c GetFileAttributesA 3562->3574 3575 4015f3 3562->3575 3579 405a09 3562->3579 3587 4059ec CreateDirectoryA 3562->3587 3565 401652 3563->3565 3566 401629 3563->3566 3564->3562 3568 401423 24 API calls 3565->3568 3567 401423 24 API calls 3566->3567 3569 401630 3567->3569 3576 40164a 3568->3576 3578 406388 lstrcpynA 3569->3578 3573 40163b SetCurrentDirectoryA 3573->3576 3574->3562 3575->3562 3582 40596f CreateDirectoryA 3575->3582 3578->3573 3590 406794 GetModuleHandleA 3579->3590 3583 4059c0 GetLastError 3582->3583 3584 4059bc 3582->3584 3583->3584 3585 4059cf SetFileSecurityA 3583->3585 3584->3575 3585->3584 3586 4059e5 GetLastError 3585->3586 3586->3584 3588 405a00 GetLastError 3587->3588 3589 4059fc 3587->3589 3588->3589 3589->3562 3591 4067b0 3590->3591 3592 4067ba GetProcAddress 3590->3592 3596 406726 GetSystemDirectoryA 3591->3596 3594 405a10 3592->3594 3594->3562 3595 4067b6 3595->3592 3595->3594 3597 406748 wsprintfA LoadLibraryExA 3596->3597 3597->3595 4751 40453b lstrcpynA lstrlenA 4752 4016bb 4753 402c39 17 API calls 4752->4753 4754 4016c1 GetFullPathNameA 4753->4754 4755 4016d8 4754->4755 4761 4016f9 4754->4761 4757 4066ff 2 API calls 4755->4757 4755->4761 4756 40170d GetShortPathNameA 4758 402ac5 4756->4758 4759 4016e9 4757->4759 4759->4761 4762 406388 lstrcpynA 4759->4762 4761->4756 4761->4758 4762->4761 4763 406ebd 4765 40690c 4763->4765 4764 407277 4765->4764 4765->4765 4766 406996 GlobalAlloc 4765->4766 4767 40698d GlobalFree 4765->4767 4768 406a04 GlobalFree 4765->4768 4769 406a0d GlobalAlloc 4765->4769 4766->4764 4766->4765 4767->4766 4768->4769 4769->4764 4769->4765

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 17 4035e5 11->17 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 17->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 31 40362d 27->31 31->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 63 403772 47->63 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 59 403734-403762 51->59 60 403724-40372a 51->60 57 4036e7-4036e9 52->57 58 4036eb 52->58 68 403821-403827 53->68 69 4038ae-4038bf ExitProcess OleUninitialize 53->69 54->53 71 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->71 57->51 57->58 58->51 59->47 62 40377f-40378c call 406388 59->62 65 403730 60->65 66 40372c-40372e 60->66 62->43 63->38 65->59 66->59 66->65 73 403829-403834 call 405d45 68->73 74 40389f-4038a6 call 403b6e 68->74 75 4038c5-4038d4 call 405a9e ExitProcess 69->75 76 4039e8-4039ee 69->76 71->53 71->69 91 403836-40385f 73->91 92 40386a-403873 73->92 83 4038ab 74->83 81 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->81 82 403a66-403a6e 76->82 88 403a36-403a44 call 406794 81->88 89 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 81->89 85 403a70 82->85 86 403a73-403a76 ExitProcess 82->86 83->69 85->86 97 403a52-403a5d ExitWindowsEx 88->97 98 403a46-403a50 88->98 89->88 94 403861-403863 91->94 95 403875-403883 call 405e08 92->95 96 4038da-4038ee call 405a09 lstrcatA 92->96 94->92 99 403865-403868 94->99 95->69 105 403885-40389b call 406388 * 2 95->105 108 4038f0-4038f6 lstrcatA 96->108 109 4038fb-403915 lstrcatA lstrcmpiA 96->109 97->82 102 403a5f-403a61 call 40140b 97->102 98->97 98->102 99->92 99->94 102->82 105->74 108->109 109->69 111 403917-40391a 109->111 113 403923 call 4059ec 111->113 114 40391c-403921 call 40596f 111->114 120 403928-403936 SetCurrentDirectoryA 113->120 114->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->69 141->129
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetErrorMode.KERNELBASE(00008001), ref: 004034EF
                                                                                                                                                                                                                          • GetVersionExA.KERNEL32(?), ref: 00403518
                                                                                                                                                                                                                          • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                                                                                                                                                                                          • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                                                                                                                                                                                          • OleInitialize.OLE32(00000000), ref: 0040363C
                                                                                                                                                                                                                          • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                                                                                                                                                                                          • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                                                                                                                                                                                          • CharNextA.USER32(00000000,"C:\Users\user\AppData\Local\Temp\setup.exe",00000020,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                                                                                                                                                                                          • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                                                                                                                                                                                          • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                                                                                                                                                                                          • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                                                                                                                                                                                          • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                                                                                                                                                                                          • DeleteFileA.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                                                                                                                                                                                          • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                                                                                                                                                                                          • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 004038D4
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\AppData\Local\Temp\setup.exe",00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                                                                                                                                                                                          • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                                                                                                                                                                                          • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\setup.exe,0041F910,00000001), ref: 0040399B
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                                                                                                                                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                                                                                                                                                                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                                                                                                                                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                                                                                                                                                                                          • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                                                                                                                                                                                          • ExitProcess.KERNEL32 ref: 00403A76
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                                                          • String ID: "$"C:\Users\user\AppData\Local\Temp\setup.exe"$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                                                          • API String ID: 2882342585-56685449
                                                                                                                                                                                                                          • Opcode ID: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
                                                                                                                                                                                                                          • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52eec0119052631d70130b9923c1eece19bfae2d8fd8cd18d56f0b379d03721e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                                                                                                                                                                                          Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 351 405b4a-405b70 call 405e08 354 405b72-405b84 DeleteFileA 351->354 355 405b89-405b90 351->355 356 405d13-405d17 354->356 357 405b92-405b94 355->357 358 405ba3-405bb3 call 406388 355->358 359 405cc1-405cc6 357->359 360 405b9a-405b9d 357->360 364 405bc2-405bc3 call 405d61 358->364 365 405bb5-405bc0 lstrcatA 358->365 359->356 363 405cc8-405ccb 359->363 360->358 360->359 366 405cd5-405cdd call 4066ff 363->366 367 405ccd-405cd3 363->367 369 405bc8-405bcb 364->369 365->369 366->356 374 405cdf-405cf3 call 405d1a call 405b02 366->374 367->356 372 405bd6-405bdc lstrcatA 369->372 373 405bcd-405bd4 369->373 375 405be1-405bff lstrlenA FindFirstFileA 372->375 373->372 373->375 390 405cf5-405cf8 374->390 391 405d0b-405d0e call 4054a9 374->391 377 405c05-405c1c call 405d45 375->377 378 405cb7-405cbb 375->378 384 405c27-405c2a 377->384 385 405c1e-405c22 377->385 378->359 380 405cbd 378->380 380->359 388 405c2c-405c31 384->388 389 405c3d-405c4b call 406388 384->389 385->384 387 405c24 385->387 387->384 392 405c33-405c35 388->392 393 405c96-405ca8 FindNextFileA 388->393 401 405c62-405c6d call 405b02 389->401 402 405c4d-405c55 389->402 390->367 395 405cfa-405d09 call 4054a9 call 406161 390->395 391->356 392->389 397 405c37-405c3b 392->397 393->377 399 405cae-405cb1 FindClose 393->399 395->356 397->389 397->393 399->378 410 405c8e-405c91 call 4054a9 401->410 411 405c6f-405c72 401->411 402->393 404 405c57-405c60 call 405b4a 402->404 404->393 410->393 413 405c74-405c84 call 4054a9 call 406161 411->413 414 405c86-405c8c 411->414 413->393 414->393
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DeleteFileA.KERNELBASE(?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405B73
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BBB
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BDC
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BE2
                                                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(00421D58,?,?,?,0040A014,?,00421D58,?,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405BF3
                                                                                                                                                                                                                          • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • \*.*, xrefs: 00405BB5
                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00405B53
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$\*.*
                                                                                                                                                                                                                          • API String ID: 2035342205-2430568624
                                                                                                                                                                                                                          • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                          • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                                                                                                                                                                                          Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 577 406a88-406a8d 578 406afe-406b1c 577->578 579 406a8f-406abe 577->579 580 4070f4-407109 578->580 581 406ac0-406ac3 579->581 582 406ac5-406ac9 579->582 583 407123-407139 580->583 584 40710b-407121 580->584 585 406ad5-406ad8 581->585 586 406ad1 582->586 587 406acb-406acf 582->587 588 40713c-407143 583->588 584->588 589 406af6-406af9 585->589 590 406ada-406ae3 585->590 586->585 587->585 594 407145-407149 588->594 595 40716a-407176 588->595 593 406ccb-406ce9 589->593 591 406ae5 590->591 592 406ae8-406af4 590->592 591->592 596 406b5e-406b8c 592->596 600 406d01-406d13 593->600 601 406ceb-406cff 593->601 597 4072f8-407302 594->597 598 40714f-407167 594->598 605 40690c-406915 595->605 603 406ba8-406bc2 596->603 604 406b8e-406ba6 596->604 602 40730e-407321 597->602 598->595 606 406d16-406d20 600->606 601->606 610 407326-40732a 602->610 609 406bc5-406bcf 603->609 604->609 607 407323 605->607 608 40691b 605->608 611 406d22 606->611 612 406cc3-406cc9 606->612 607->610 615 406922-406926 608->615 616 406a62-406a83 608->616 617 4069c7-4069cb 608->617 618 406a37-406a3b 608->618 620 406bd5 609->620 621 406b46-406b4c 609->621 613 406e33-406e40 611->613 614 406c9e-406ca2 611->614 612->593 619 406c67-406c71 612->619 613->605 624 406e8f-406e9e 613->624 629 406ca8-406cc0 614->629 630 4072aa-4072b4 614->630 615->602 631 40692c-406939 615->631 616->580 622 4069d1-4069ea 617->622 623 407277-407281 617->623 632 406a41-406a55 618->632 633 407286-407290 618->633 625 4072b6-4072c0 619->625 626 406c77-406c99 619->626 639 407292-40729c 620->639 640 406b2b-406b43 620->640 627 406b52-406b58 621->627 628 406bff-406c05 621->628 638 4069ed-4069f1 622->638 623->602 624->580 625->602 626->613 627->596 635 406c63 627->635 628->635 636 406c07-406c25 628->636 629->612 630->602 631->607 637 40693f-406985 631->637 641 406a58-406a60 632->641 633->602 635->619 642 406c27-406c3b 636->642 643 406c3d-406c4f 636->643 645 406987-40698b 637->645 646 4069ad-4069af 637->646 638->617 644 4069f3-4069f9 638->644 639->602 640->621 641->616 641->618 647 406c52-406c5c 642->647 643->647 652 406a23-406a35 644->652 653 4069fb-406a02 644->653 648 406996-4069a4 GlobalAlloc 645->648 649 40698d-406990 GlobalFree 645->649 650 4069b1-4069bb 646->650 651 4069bd-4069c5 646->651 647->628 654 406c5e 647->654 648->607 657 4069aa 648->657 649->648 650->650 650->651 651->638 652->641 655 406a04-406a07 GlobalFree 653->655 656 406a0d-406a1d GlobalAlloc 653->656 659 406be4-406bfc 654->659 660 40729e-4072a8 654->660 655->656 656->607 656->652 657->646 659->628 660->602
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                          • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                                                                                                                                                                                          Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 720 4066ff-406713 FindFirstFileA 721 406720 720->721 722 406715-40671e FindClose 720->722 723 406722-406723 721->723 722->723
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • FindFirstFileA.KERNELBASE(74DF3410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 0040670A
                                                                                                                                                                                                                          • FindClose.KERNEL32(00000000), ref: 00406716
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Find$CloseFileFirst
                                                                                                                                                                                                                          • String ID: C:\
                                                                                                                                                                                                                          • API String ID: 2295610775-3404278061
                                                                                                                                                                                                                          • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                          • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                                                                                                                                                                                          Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 154 403bee-403c17 call 403e33 call 405e08 145->154 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->154 151->150 160 403c1d-403c22 154->160 161 403c9e-403ca6 call 405e08 154->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 172 403c4a-403c4c 162->172 170 403d5a-403d62 call 40140b 166->170 171 403cdb-403d0b RegisterClassA 166->171 167->166 185 403d64-403d67 170->185 186 403d6c-403d77 call 403e33 170->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 171->175 176 403e29 171->176 173 403c5d-403c69 lstrlenA 172->173 174 403c4e-403c5b call 405d45 172->174 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->170 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 201 403e22-403e24 call 40140b 195->201 202 403e0a-403e10 195->202 203 403da3-403db5 GetClassInfoA 196->203 204 403d99-403d9e call 406726 196->204 201->176 202->185 209 403e16-403e1d call 40140b 202->209 207 403db7-403dc7 GetClassInfoA RegisterClassA 203->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 203->208 204->203 207->208 208->179 209->185
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                            • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410,C:\Users\user\AppData\Local\Temp\,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403BE9
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,?,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,74DF3410), ref: 00403C5E
                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                                                                                                                                                                                          • GetFileAttributesA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403C7C
                                                                                                                                                                                                                          • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                                                                                                                                                                            • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                          • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                                                                                                                                                                                          • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                                                                                                                                                                                          • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                                                                                                                                                                                          • ShowWindow.USER32(00000005,00000000,?,"C:\Users\user\AppData\Local\Temp\setup.exe",00000009,0000000B), ref: 00403D85
                                                                                                                                                                                                                          • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                                                                                                                                                                                          • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                                                                                                                                                                                          • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                                                                                                                                                                                          • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                                                                                                                                                                                          • API String ID: 1975747703-4005560175
                                                                                                                                                                                                                          • Opcode ID: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                                                                                                                                                                                          • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e590d0c5fa98f393744fb4f016bdb4800495c857999addaceec8a385476c3f6f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                                                                                                                                                                                          Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 216 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 219 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 216->219 220 402fac-402fb1 216->220 228 402fea 219->228 229 4030cf-4030dd call 402ebd 219->229 221 4031f6-4031fa 220->221 231 402fef-403006 228->231 235 4030e3-4030e6 229->235 236 4031ae-4031b3 229->236 233 403008 231->233 234 40300a-403013 call 40346e 231->234 233->234 243 403019-403020 234->243 244 40316a-403172 call 402ebd 234->244 238 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 235->238 239 4030e8-403100 call 403484 call 40346e 235->239 236->221 265 403160-403165 238->265 266 403174-4031a4 call 403484 call 4031fd 238->266 239->236 267 403106-40310c 239->267 248 403022-403036 call 405ed6 243->248 249 40309c-4030a0 243->249 244->236 255 4030aa-4030b0 248->255 263 403038-40303f 248->263 254 4030a2-4030a9 call 402ebd 249->254 249->255 254->255 256 4030b2-4030bc call 40684b 255->256 257 4030bf-4030c7 255->257 256->257 257->231 264 4030cd 257->264 263->255 270 403041-403048 263->270 264->229 265->221 277 4031a9-4031ac 266->277 267->236 267->238 270->255 272 40304a-403051 270->272 272->255 274 403053-40305a 272->274 274->255 276 40305c-40307c 274->276 276->236 278 403082-403086 276->278 277->236 279 4031b5-4031c6 277->279 280 403088-40308c 278->280 281 40308e-403096 278->281 282 4031c8 279->282 283 4031ce-4031d3 279->283 280->264 280->281 281->255 285 403098-40309a 281->285 282->283 284 4031d4-4031da 283->284 284->284 286 4031dc-4031f4 call 405ed6 284->286 285->255 286->221
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402F70
                                                                                                                                                                                                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\setup.exe,00000400), ref: 00402F8C
                                                                                                                                                                                                                            • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                            • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00402FD5
                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\setup.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                                                                                                                                                                                          • soft, xrefs: 0040304A
                                                                                                                                                                                                                          • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                                                                                                                                                                                          • Null, xrefs: 00403053
                                                                                                                                                                                                                          • Error launching installer, xrefs: 00402FAC
                                                                                                                                                                                                                          • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                                                                                                                                                                                          • Inst, xrefs: 00403041
                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00402F65
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\setup.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                                                                                                                                                                          • API String ID: 2803837635-1937576205
                                                                                                                                                                                                                          • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                          • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                                                                                                                                                                                          Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 289 40641b-406426 290 406428-406437 289->290 291 406439-40644f 289->291 290->291 292 406643-406647 291->292 293 406455-406460 291->293 294 406472-40647c 292->294 295 40664d-406657 292->295 293->292 296 406466-40646d 293->296 294->295 299 406482-406489 294->299 297 406662-406663 295->297 298 406659-40665d call 406388 295->298 296->292 298->297 301 406636 299->301 302 40648f-4064c3 299->302 303 406640-406642 301->303 304 406638-40663e 301->304 305 4065e3-4065e6 302->305 306 4064c9-4064d3 302->306 303->292 304->292 307 406616-406619 305->307 308 4065e8-4065eb 305->308 309 4064f0 306->309 310 4064d5-4064de 306->310 314 406627-406634 lstrlenA 307->314 315 40661b-406622 call 40641b 307->315 311 4065fb-406607 call 406388 308->311 312 4065ed-4065f9 call 4062e6 308->312 313 4064f7-4064fe 309->313 310->309 316 4064e0-4064e3 310->316 327 40660c-406612 311->327 312->327 319 406500-406502 313->319 320 406503-406505 313->320 314->292 315->314 316->309 317 4064e5-4064e8 316->317 317->309 323 4064ea-4064ee 317->323 319->320 325 406507-40652a call 40626f 320->325 326 40653e-406541 320->326 323->313 337 406530-406539 call 40641b 325->337 338 4065ca-4065ce 325->338 330 406551-406554 326->330 331 406543-40654f GetSystemDirectoryA 326->331 327->314 329 406614 327->329 333 4065db-4065e1 call 406666 329->333 335 4065c1-4065c3 330->335 336 406556-406564 GetWindowsDirectoryA 330->336 334 4065c5-4065c8 331->334 333->314 334->333 334->338 335->334 339 406566-406570 335->339 336->335 337->334 338->333 344 4065d0-4065d6 lstrcatA 338->344 341 406572-406575 339->341 342 40658a-4065a0 SHGetSpecialFolderLocation 339->342 341->342 346 406577-40657e 341->346 347 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 342->347 348 4065be 342->348 344->333 350 406586-406588 346->350 347->334 347->348 348->335 350->334 350->342
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400), ref: 00406549
                                                                                                                                                                                                                          • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                                                                                                                                                                                          • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                                                                                                                                                                                          • SHGetPathFromIDListA.SHELL32(00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 004065A6
                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                                                          • API String ID: 717251189-2103940979
                                                                                                                                                                                                                          • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                          • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                                                                                                                                                                                          Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 00401798
                                                                                                                                                                                                                          • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00000000,00000000,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,00000031), ref: 004017C2
                                                                                                                                                                                                                            • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe
                                                                                                                                                                                                                          • API String ID: 1941528284-2333790722
                                                                                                                                                                                                                          • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                          • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                                                                                                                                                                                          Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 487 406726-406746 GetSystemDirectoryA 488 406748 487->488 489 40674a-40674c 487->489 488->489 490 40675c-40675e 489->490 491 40674e-406756 489->491 493 40675f-406791 wsprintfA LoadLibraryExA 490->493 491->490 492 406758-40675a 491->492 492->493
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                          • LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                                                          • String ID: %s%s.dll$UXTHEME$\
                                                                                                                                                                                                                          • API String ID: 2200240437-4240819195
                                                                                                                                                                                                                          • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                          • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                                                                                                                                                                                          Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GlobalAlloc.KERNELBASE(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 004028A4
                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                                                                                                                                                                                          • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                                                                                                                                                                                          • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Global$AllocFree$ChangeCloseDeleteFileFindNotification
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2989416154-0
                                                                                                                                                                                                                          • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                          • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                                                                                                                                                                                          Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 530 405f4a-405f54 531 405f55-405f80 GetTickCount GetTempFileNameA 530->531 532 405f82-405f84 531->532 533 405f8f-405f91 531->533 532->531 534 405f86 532->534 535 405f89-405f8c 533->535 534->535
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00405F5E
                                                                                                                                                                                                                          • GetTempFileNameA.KERNELBASE(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CountFileNameTempTick
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                                                                                                                                                                          • API String ID: 1716503409-678247507
                                                                                                                                                                                                                          • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                          • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                                                                                                                                                                                          Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 536 4020a5-4020b1 537 4020b7-4020cd call 402c39 * 2 536->537 538 40216c-40216e 536->538 547 4020dc-4020ea LoadLibraryExA 537->547 548 4020cf-4020da GetModuleHandleA 537->548 540 4022e5-4022ea call 401423 538->540 546 402ac5-402ad4 540->546 550 4020ec-4020f9 GetProcAddress 547->550 551 402165-402167 547->551 548->547 548->550 553 402138-40213d call 4054a9 550->553 554 4020fb-402101 550->554 551->540 558 402142-402145 553->558 556 402103-40210f call 401423 554->556 557 40211a-40212e 554->557 556->558 567 402111-402118 556->567 560 402133-402136 557->560 558->546 561 40214b-402153 call 403b0e 558->561 560->558 561->546 566 402159-402160 FreeLibrary 561->566 566->546 567->558
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 004020D0
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                          • LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                                                                                                                                                                                          • FreeLibrary.KERNELBASE(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2987980305-0
                                                                                                                                                                                                                          • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                          • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                                                                                                                                                                                          Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 568 403a7c-403a8b 569 403a97-403a9f 568->569 570 403a8d-403a90 CloseHandle 568->570 571 403aa1-403aa4 CloseHandle 569->571 572 403aab-403ab7 call 403ad9 call 405b4a 569->572 570->569 571->572 576 403abc-403abd 572->576
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\, xrefs: 00403AB2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsjB8F5.tmp\
                                                                                                                                                                                                                          • API String ID: 2962429428-3666343344
                                                                                                                                                                                                                          • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                          • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                                                                                                                                                                                          Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 661 4015bb-4015ce call 402c39 call 405db3 666 4015d0-4015e3 call 405d45 661->666 667 401624-401627 661->667 675 4015e5-4015e8 666->675 676 4015fb-4015fc call 4059ec 666->676 669 401652-4022ea call 401423 667->669 670 401629-401644 call 401423 call 406388 SetCurrentDirectoryA 667->670 683 402ac5-402ad4 669->683 670->683 690 40164a-40164d 670->690 675->676 680 4015ea-4015f1 call 405a09 675->680 682 401601-401603 676->682 680->676 693 4015f3-4015f9 call 40596f 680->693 686 401605-40160a 682->686 687 40161a-401622 682->687 691 401617 686->691 692 40160c-401615 GetFileAttributesA 686->692 687->666 687->667 690->683 691->687 692->687 692->691 693->682
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                                                                                                                                                                            • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                          • SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\GamePall,00000000,00000000,000000F0), ref: 0040163C
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00401631
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\GamePall
                                                                                                                                                                                                                          • API String ID: 1892508949-2308708932
                                                                                                                                                                                                                          • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                          • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                                                                                                                                                                                          Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 697 405e08-405e23 call 406388 call 405db3 702 405e25-405e27 697->702 703 405e29-405e36 call 406666 697->703 704 405e7b-405e7d 702->704 707 405e42-405e44 703->707 708 405e38-405e3c 703->708 709 405e5a-405e63 lstrlenA 707->709 708->702 710 405e3e-405e40 708->710 711 405e65-405e79 call 405d1a GetFileAttributesA 709->711 712 405e46-405e4d call 4066ff 709->712 710->702 710->707 711->704 717 405e54-405e55 call 405d61 712->717 718 405e4f-405e52 712->718 717->709 718->702 718->717
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                            • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405E5B
                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0), ref: 00405E6B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                                                          • String ID: C:\
                                                                                                                                                                                                                          • API String ID: 3248276644-3404278061
                                                                                                                                                                                                                          • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                          • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                                                                                                                                                                                          Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                          • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                          Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                          • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                                                                                                                                                                          Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                          • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                                                                                                                                                                                          Function 004068D9 Relevance: 5.2, APIs: 4, Instructions: 198COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                          • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                                                                                                                                                                                          Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                          • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                                                                                                                                                                                          Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                          • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                                                                                                                                                                                          Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                          • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                                                                                                                                                                                          Function 00403305 Relevance: 4.6, APIs: 3, Instructions: 101COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00403319
                                                                                                                                                                                                                            • Part of subcall function 00403484: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(155C335B,00000000,00000000,004138F8,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FilePointer$CountTick
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1092082344-0
                                                                                                                                                                                                                          • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                          • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                                                                                                                                                                                          Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                                                                                                                                                                                          • RegSetValueExA.KERNELBASE(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseValuelstrlen
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2655323295-0
                                                                                                                                                                                                                          • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                          • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                                                                                                                                                                                          Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                                                                                                                                                                                          • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Enum$CloseValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 397863658-0
                                                                                                                                                                                                                          • Opcode ID: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                                                                                                                                                                                          • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 039baf7d42ae34e4e7f4f0d82c42536c565db7a64b10d6b3f593835efb4c20b6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                                                                                                                                                                                          Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 00405EF6: GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                            • Part of subcall function 00405EF6: SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                          • RemoveDirectoryA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                                                                                                                                                                                          • DeleteFileA.KERNELBASE(?,?,?,00000000,00405CF1), ref: 00405B25
                                                                                                                                                                                                                          • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1655745494-0
                                                                                                                                                                                                                          • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                          • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                                                                                                                                                                                          Function 004031FD Relevance: 3.1, APIs: 2, Instructions: 88COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                                          • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                          • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                                                                                                                                                                                          Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                                                                                                                                                                                          • RegCloseKey.KERNELBASE(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3356406503-0
                                                                                                                                                                                                                          • Opcode ID: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                                                                                                                                                                                          • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6617ca3d26eaa2170afdc71dc748124b2257766e2e1ea0df1a2f7a4cdc0ba340
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                                                                                                                                                                                          Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3850602802-0
                                                                                                                                                                                                                          • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                          • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                                                                                                                                                                                          Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseCreateHandleProcess
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3712363035-0
                                                                                                                                                                                                                          • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                          • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                                                                                                                                                                                          Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                                                                                                                                                                            • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                                                                                                                                                                            • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                                                                                                                                                                            • Part of subcall function 00406726: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040678A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2547128583-0
                                                                                                                                                                                                                          • Opcode ID: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                                                                                                                                                                                          • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6cfaa89c8510a3ae83a05a93334a7968bfc88d7e7cb527baf598ad9b980e56cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                                                                                                                                                                                          Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                          • CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$AttributesCreate
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 415043291-0
                                                                                                                                                                                                                          • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                          • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                                                                                                                                                                          Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetFileAttributesA.KERNELBASE(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                                                                                                                                                                          • SetFileAttributesA.KERNELBASE(?,00000000), ref: 00405F0F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AttributesFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3188754299-0
                                                                                                                                                                                                                          • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                          • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                                                                                                                                                                                          Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateDirectoryA.KERNELBASE(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1375471231-0
                                                                                                                                                                                                                          • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                          • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                                                                                                                                                                                          Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Create
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2289755597-0
                                                                                                                                                                                                                          • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                          • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                                                                                                                                                                                          Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • WriteFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,0040C475,0040B8F8,00403405,0040B8F8,0040C475,004138F8,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileWrite
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3934441357-0
                                                                                                                                                                                                                          • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                          • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                                                                                                                                                                                          Function 00405F93 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ReadFile.KERNELBASE(00000009,00000000,00000000,00000000,00000000,004138F8,0040B8F8,00403481,00000009,00000009,00403385,004138F8,00004000,?,00000000,0040322F), ref: 00405FA7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileRead
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2738559852-0
                                                                                                                                                                                                                          • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                          • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                                                                                                                                                                                          Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FilePointer
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 973152223-0
                                                                                                                                                                                                                          • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                          • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                                                                                                                                                                          Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                            • Part of subcall function 00405A21: CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                                                                                                                                                                            • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                                                                                                                                                                            • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                                                                                                                                                                            • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                                                                                                                                                                            • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2972824698-0
                                                                                                                                                                                                                          • Opcode ID: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                                                                                                                                                                                          • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b93a315dc59908fe351c40803e733eeda605d55301c746aa3fa59235fa4bc662
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00405692
                                                                                                                                                                                                                          • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 00405735
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                                                                                                                                                                            • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                                                                                                                                                                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 004057DF
                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                                                                                                                                                                                          • ShowWindow.USER32(00000008), ref: 0040582C
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                                                                                                                                                                                          • CreatePopupMenu.USER32 ref: 00405871
                                                                                                                                                                                                                          • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                                                                                                                                                                                          • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                                                                                                                                                                                          • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                                                                                                                                                                                          • OpenClipboard.USER32(00000000), ref: 0040590B
                                                                                                                                                                                                                          • EmptyClipboard.USER32 ref: 00405911
                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                                                                                                                                                                                          • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                                                                                                                                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                                                                                                                                                                                          • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                                                                                                                                                                                          • CloseClipboard.USER32 ref: 00405962
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                                                          • String ID: PB
                                                                                                                                                                                                                          • API String ID: 590372296-3196168531
                                                                                                                                                                                                                          • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                          • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                                                                                                                                                                                          Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                                                                                                                                                                                          • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                                                                                                                                                                                          • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                                                                                                                                                                                          • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420D50), ref: 004049FE
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe), ref: 00404A0A
                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                                                                                                                                                                            • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                                                                                                                                                                            • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                            • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                            • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                            • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                          • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                                                                                                                                                                                          • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                                                                                                                                                                            • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                            • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                            • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                                                          • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\GamePall.exe$PB
                                                                                                                                                                                                                          • API String ID: 2624150263-3665957329
                                                                                                                                                                                                                          • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                          • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                                                                                                                                                                                          Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                                                                                                                                                                                          • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Roaming\GamePall, xrefs: 00402238
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ByteCharCreateInstanceMultiWide
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\GamePall
                                                                                                                                                                                                                          • API String ID: 123533781-2308708932
                                                                                                                                                                                                                          • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                          • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                                                                                                                                                                                          Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                                                                                                                                                                                          • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                                                                                                                                                                                          • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                                                                                                                                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                                                                                                                                                                                          • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                                                                                                                                                                                          • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                                                                                                                                                                            • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                                                                                                                                                                                          • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                                                                                                                                                                                          • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                                                                                                                                                                                          • GlobalFree.KERNEL32(?), ref: 0040524A
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                                                                                                                                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                                                                                                                                                                                          • ShowWindow.USER32(00000000), ref: 00405406
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                                                          • String ID: $M$N
                                                                                                                                                                                                                          • API String ID: 2564846305-813528018
                                                                                                                                                                                                                          • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                          • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                                                                                                                                                                                          Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                                                                                                                                                                                          • ShowWindow.USER32(?), ref: 00403F67
                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                                                                                                                                                                                          • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                                                                                                                                                                                          • DestroyWindow.USER32 ref: 00403FA6
                                                                                                                                                                                                                          • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                                                                                                                                                                                          • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                                                                                                                                                                                          • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                                                                                                                                                                                          • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 004041F2
                                                                                                                                                                                                                          • EnableWindow.USER32(?,?), ref: 0040420D
                                                                                                                                                                                                                          • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                                                                                                                                                                                          • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                                                                                                                                                                                          • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                                                                                                                                                                                          • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                                                          • String ID: PB
                                                                                                                                                                                                                          • API String ID: 1860320154-3196168531
                                                                                                                                                                                                                          • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                          • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                                                                                                                                                                                          Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                                                                                                                                                                                          • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 0040463E
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?), ref: 0040465F
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000), ref: 004046E8
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                                                                                                                                                                                          • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 0040476B
                                                                                                                                                                                                                          • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                                                                                                                                                                                          • SetCursor.USER32(00000000), ref: 00404784
                                                                                                                                                                                                                          • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                                                                                                                                                                                          • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                                                          • String ID: N$6B
                                                                                                                                                                                                                          • API String ID: 3103080414-649610290
                                                                                                                                                                                                                          • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                          • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                                                                                                                                                                                          Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                                                                                                                                                                          • GetShortPathNameA.KERNEL32(?,00422AE0,00000400), ref: 0040602B
                                                                                                                                                                                                                            • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                            • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                          • GetShortPathNameA.KERNEL32(?,00422EE0,00000400), ref: 00406048
                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00406066
                                                                                                                                                                                                                          • GetFileSize.KERNEL32(00000000,00000000,00422EE0,C0000000,00000004,00422EE0,?,?,?,?,?), ref: 004060A1
                                                                                                                                                                                                                          • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                                                                                                                                                                          • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                                                                                                                                                                          • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,004226E0,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                                                                                                                                                                          • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                                                                                                                                                                            • Part of subcall function 00405F1B: GetFileAttributesA.KERNELBASE(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405F1F
                                                                                                                                                                                                                            • Part of subcall function 00405F1B: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                                                          • String ID: %s=%s$[Rename]$*B$.B$.B
                                                                                                                                                                                                                          • API String ID: 2171350718-3836630945
                                                                                                                                                                                                                          • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                          • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                                                                                                                                                                                          Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                                                          • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                                                          • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                                                                                                                                                                          • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                                                          • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                                                          • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                                                          • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                                                          • String ID: F
                                                                                                                                                                                                                          • API String ID: 941294808-1304234792
                                                                                                                                                                                                                          • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                          • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                                                                                                                                                                                          Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                          • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                                                          • String ID: 4/@
                                                                                                                                                                                                                          • API String ID: 2531174081-3101945251
                                                                                                                                                                                                                          • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                          • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                                                                                                                                                                                          Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                                                                                                                                                                          • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                                                                                                                                                                          • CharNextA.USER32(0000000B,?,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                                                                                                                                                                          • CharPrevA.USER32(0000000B,0000000B,74DF3410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\AppData\Local\Temp\setup.exe",004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                                                                                                                                                                                          • "C:\Users\user\AppData\Local\Temp\setup.exe", xrefs: 00406666
                                                                                                                                                                                                                          • *?|<>/":, xrefs: 004066AE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Char$Next$Prev
                                                                                                                                                                                                                          • String ID: "C:\Users\user\AppData\Local\Temp\setup.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                          • API String ID: 589700163-1678727643
                                                                                                                                                                                                                          • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                          • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                                                                                                                                                                                          Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • DestroyWindow.USER32(00000000,00000000), ref: 00402ED5
                                                                                                                                                                                                                          • GetTickCount.KERNEL32 ref: 00402EF3
                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00402F21
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                                                                                                                                                                            • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                                                                                                                                                                            • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                                                                                                                                                                          • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                                                                                                                                                                                          • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                                                                                                                                                                            • Part of subcall function 00402EA1: MulDiv.KERNEL32(00000000,00000064,0000D822), ref: 00402EB6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                                                                                                                                                                          • String ID: ... %d%%$#Vh%.@
                                                                                                                                                                                                                          • API String ID: 722711167-1706192003
                                                                                                                                                                                                                          • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                          • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                                                                                                                                                                                          Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                                                                                                                                                                                          • GetSysColor.USER32(00000000), ref: 004044C7
                                                                                                                                                                                                                          • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                                                                                                                                                                                          • SetBkMode.GDI32(?,?), ref: 004044DF
                                                                                                                                                                                                                          • GetSysColor.USER32(?), ref: 004044F2
                                                                                                                                                                                                                          • SetBkColor.GDI32(?,?), ref: 00404502
                                                                                                                                                                                                                          • DeleteObject.GDI32(?), ref: 0040451C
                                                                                                                                                                                                                          • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2320649405-0
                                                                                                                                                                                                                          • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                          • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                                                                                                                                                                                          Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                                                                                                                                                                                          • GetMessagePos.USER32 ref: 00404D7B
                                                                                                                                                                                                                          • ScreenToClient.USER32(?,?), ref: 00404D95
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                                                                                                                                                                                          • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Message$Send$ClientScreen
                                                                                                                                                                                                                          • String ID: f
                                                                                                                                                                                                                          • API String ID: 41195575-1993550816
                                                                                                                                                                                                                          • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                          • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                                                                                                                                                                                          Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004059C6
                                                                                                                                                                                                                          • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 004059E5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                                                          • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                          • API String ID: 3449924974-2369717338
                                                                                                                                                                                                                          • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                          • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                                                                                                                                                                                          Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00402E74
                                                                                                                                                                                                                          • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                                                          • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                                                                                                                                                                          • API String ID: 1451636040-1158693248
                                                                                                                                                                                                                          • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                          • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                                                                                                                                                                                          Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                                                                                                                                                                          • wsprintfA.USER32 ref: 00404CF4
                                                                                                                                                                                                                          • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                                                          • String ID: %u.%u%s%s$PB
                                                                                                                                                                                                                          • API String ID: 3540041739-838025833
                                                                                                                                                                                                                          • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                          • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                                                                                                                                                                                          Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                                                                                                                                                                                          • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                                                                                                                                                                                          • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1354259210-0
                                                                                                                                                                                                                          • Opcode ID: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                                                                                                                                                                                          • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e74c2f698c9890700b4790f2c47d05d8785518f345c631b22f69380fd2d26fe8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                                                                                                                                                                                          Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                                                                                                                                                                          • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                                                                                                                                                                          • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                                                                                                                                                                          • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                                                                                                                                                                          • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1849352358-0
                                                                                                                                                                                                                          • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                          • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                                                                                                                                                                                          Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetDC.USER32(?), ref: 00401E38
                                                                                                                                                                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                                                                                                                                                                          • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                                                                                                                                                                          • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                                                                                                                                                                          • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3808545654-0
                                                                                                                                                                                                                          • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                          • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                                                                                                                                                                                          Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                                                                                                                                                                          • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: MessageSend$Timeout
                                                                                                                                                                                                                          • String ID: !
                                                                                                                                                                                                                          • API String ID: 1777923405-2657877971
                                                                                                                                                                                                                          • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                          • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                                                                                                                                                                                          Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                                                                                                                                                                                          • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                                                                                                                                                                                          • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp\
                                                                                                                                                                                                                          • API String ID: 2659869361-3081826266
                                                                                                                                                                                                                          • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                          • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                                                                                                                                                                                          Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,74DF3410,?,74DF2EE0,00405B6A,?,74DF3410,74DF2EE0,"C:\Users\user\AppData\Local\Temp\setup.exe"), ref: 00405DC1
                                                                                                                                                                                                                          • CharNextA.USER32(00000000), ref: 00405DC6
                                                                                                                                                                                                                          • CharNextA.USER32(00000000), ref: 00405DDA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharNext
                                                                                                                                                                                                                          • String ID: C:\
                                                                                                                                                                                                                          • API String ID: 3213498283-3404278061
                                                                                                                                                                                                                          • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                          • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                                                                                                                                                                                          Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsWindowVisible.USER32(?), ref: 0040544C
                                                                                                                                                                                                                          • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                                                                                                                                                                            • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3748168415-3916222277
                                                                                                                                                                                                                          • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                          • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                                                                                                                                                                                          Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,00420530,?,?,?,00000002,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00406527,80000002), ref: 004062B5
                                                                                                                                                                                                                          • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,C:\Users\user\AppData\Roaming\GamePall\GamePall.exe,?,00420530), ref: 004062C0
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseQueryValue
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                                                                                                                                                                                          • API String ID: 3356406503-2798812489
                                                                                                                                                                                                                          • Opcode ID: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                                                                                                                                                          • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2abccbe21afdcf7b2969046f12d50590a05fc3777738c5024e31ebbb51756706
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                                                                                                                                                                                          Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D67
                                                                                                                                                                                                                          • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,80000000,00000003), ref: 00405D75
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CharPrevlstrlen
                                                                                                                                                                                                                          • String ID: C:\Users\user\AppData\Local\Temp
                                                                                                                                                                                                                          • API String ID: 2709904686-47812868
                                                                                                                                                                                                                          • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                          • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                                                                                                                                                                                          Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                                                                                                                                                                          • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                                                                                                                                                                                          • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                                                                                                                                                                                          • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000B.00000002.3523368608.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523060350.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523551626.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.0000000000422000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3523605136.000000000042A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000B.00000002.3524133826.000000000042E000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_11_2_400000_setup.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 190613189-0
                                                                                                                                                                                                                          • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                          • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                                                                                                                                                                                          Execution Graph

                                                                                                                                                                                                                          Execution Coverage:2.8%
                                                                                                                                                                                                                          Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                          Signature Coverage:0%
                                                                                                                                                                                                                          Total number of Nodes:1100
                                                                                                                                                                                                                          Total number of Limit Nodes:12
                                                                                                                                                                                                                          execution_graph 86198 604e9c8b GetLastError 86199 604e9ca7 86198->86199 86200 604e9ca1 86198->86200 86219 604e9cab SetLastError 86199->86219 86221 604ea3f3 86199->86221 86231 604ea3b4 6 API calls __dosmaperr 86200->86231 86207 604e9ce0 86209 604ea3f3 __dosmaperr 6 API calls 86207->86209 86208 604e9cf1 86210 604ea3f3 __dosmaperr 6 API calls 86208->86210 86211 604e9cee 86209->86211 86212 604e9cfd 86210->86212 86232 604a3600 86211->86232 86213 604e9d18 86212->86213 86214 604e9d01 86212->86214 86236 604e9e7c 241 API calls __dosmaperr 86213->86236 86215 604ea3f3 __dosmaperr 6 API calls 86214->86215 86215->86211 86218 604e9d23 86220 604a3600 ___std_exception_destroy 241 API calls 86218->86220 86220->86219 86237 604ea7e9 86221->86237 86224 604ea42d TlsSetValue 86225 604e9cc3 86225->86219 86226 604a36a0 86225->86226 86227 604a36af 86226->86227 86229 604a36d3 86227->86229 86245 604a3c00 86227->86245 86377 604fd6a0 EnterCriticalSection LeaveCriticalSection ___tlregdtor 86227->86377 86229->86207 86229->86208 86231->86199 86233 604a3617 86232->86233 86729 604a5da0 86233->86729 86234 604a361d 86234->86219 86236->86218 86238 604ea819 86237->86238 86239 604ea40f 86237->86239 86238->86239 86244 604ea71e LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary ___vcrt_FlsSetValue 86238->86244 86239->86224 86239->86225 86241 604ea82d 86241->86239 86242 604ea833 GetProcAddress 86241->86242 86242->86239 86243 604ea843 __dosmaperr 86242->86243 86243->86239 86244->86241 86246 604a4062 86245->86246 86248 604a3c27 86245->86248 86448 604fd620 313 API calls CatchGuardHandler 86246->86448 86249 604a40b3 86248->86249 86250 604a3fa0 TryAcquireSRWLockExclusive 86248->86250 86256 604a3cfe 86248->86256 86449 604675a0 356 API calls 86249->86449 86251 604a3fbd 86250->86251 86252 604a3f45 86250->86252 86447 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86251->86447 86254 604a0d00 350 API calls 86252->86254 86257 604a3f5d 86252->86257 86254->86257 86258 604a3dbd TryAcquireSRWLockExclusive 86256->86258 86259 604a3d1b 86256->86259 86445 604a2c10 352 API calls CatchGuardHandler 86256->86445 86257->86246 86261 604a4026 ReleaseSRWLockExclusive 86257->86261 86262 604a3e0c 86258->86262 86263 604a3f26 86258->86263 86259->86246 86275 604a3d3b 86259->86275 86261->86246 86265 604a3eb4 86262->86265 86268 604a0d00 350 API calls 86262->86268 86446 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86263->86446 86270 604a3e38 ReleaseSRWLockExclusive 86265->86270 86283 604a40ce 86265->86283 86267 604a3da9 86267->86258 86267->86259 86271 604a3e30 86268->86271 86269 604a3f2f 86274 604a3f34 ReleaseSRWLockExclusive 86269->86274 86271->86270 86271->86274 86274->86252 86438 604cdc48 86275->86438 86276 604a3d70 86276->86227 86277 604a45cc 86308 604a462c 86277->86308 86434 604674e0 86277->86434 86279 604a42d7 TryAcquireSRWLockExclusive 86280 604a42fd 86279->86280 86281 604a45c5 86279->86281 86293 604a4311 86280->86293 86378 604a0d00 86280->86378 86453 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86281->86453 86283->86277 86283->86279 86284 604a4205 86283->86284 86283->86308 86450 604675a0 356 API calls 86283->86450 86284->86279 86285 604a420e 86284->86285 86288 604a43ce TryAcquireSRWLockExclusive 86285->86288 86300 604a4232 _unexpected 86285->86300 86451 604a2c10 352 API calls CatchGuardHandler 86285->86451 86295 604a4445 86288->86295 86296 604a446b 86288->86296 86289 604a43ea 86289->86277 86289->86293 86289->86308 86290 604a4374 ReleaseSRWLockExclusive 86290->86285 86292 604a46ba ReleaseSRWLockExclusive 86309 604a46c7 86292->86309 86293->86290 86293->86308 86452 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86295->86452 86298 604a44b4 86296->86298 86301 604a0d00 350 API calls 86296->86301 86297 604a43c2 86297->86288 86297->86300 86304 604a44f3 ReleaseSRWLockExclusive 86298->86304 86298->86309 86300->86295 86305 604a4297 86300->86305 86300->86308 86302 604a4568 86301->86302 86302->86304 86302->86308 86306 604cdc48 CatchGuardHandler 5 API calls 86305->86306 86307 604a42a2 86306->86307 86307->86227 86308->86292 86310 604a4a69 86309->86310 86317 604a4726 86309->86317 86313 604a4a50 86310->86313 86314 604a5121 86310->86314 86311 604a50f8 86461 604fd620 313 API calls CatchGuardHandler 86311->86461 86318 604a51a9 86313->86318 86326 604a4acc 86313->86326 86328 604a4c3d 86313->86328 86345 604a5172 86313->86345 86463 604fd620 313 API calls CatchGuardHandler 86314->86463 86316 604a503d TryAcquireSRWLockExclusive 86319 604a502e 86316->86319 86320 604a4fe1 86316->86320 86317->86311 86317->86316 86323 604a5103 86317->86323 86324 604a4817 86317->86324 86464 604fd0a0 241 API calls 86318->86464 86460 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86319->86460 86327 604a0d00 350 API calls 86320->86327 86334 604a4ffd 86320->86334 86462 604675a0 356 API calls 86323->86462 86346 604a48ce 86324->86346 86350 604a4838 86324->86350 86454 604a2c10 352 API calls CatchGuardHandler 86324->86454 86326->86328 86329 604a4e15 TryAcquireSRWLockExclusive 86326->86329 86340 604a4ddb 86326->86340 86341 604a4ba2 86326->86341 86330 604a4ff9 86327->86330 86371 604a523f 86328->86371 86373 604a5295 86328->86373 86466 604fd620 313 API calls CatchGuardHandler 86328->86466 86336 604a4e5a 86329->86336 86337 604a4e63 86329->86337 86330->86334 86335 604a4fd0 ReleaseSRWLockExclusive 86330->86335 86332 604a48de TryAcquireSRWLockExclusive 86339 604a4c46 86332->86339 86353 604a4905 86332->86353 86333 604a50c2 ReleaseSRWLockExclusive 86333->86311 86334->86333 86334->86345 86335->86350 86459 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86336->86459 86352 604a0d00 350 API calls 86337->86352 86360 604a4e83 86337->86360 86455 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86339->86455 86457 604675a0 356 API calls 86340->86457 86341->86329 86357 604a4bc8 86341->86357 86342 604cdc48 CatchGuardHandler 5 API calls 86351 604a48a6 86342->86351 86345->86227 86346->86332 86346->86350 86347 604a4962 86347->86335 86349 604a0d00 350 API calls 86347->86349 86354 604a4988 ReleaseSRWLockExclusive 86347->86354 86349->86347 86350->86342 86350->86345 86351->86227 86355 604a4f48 86352->86355 86353->86328 86353->86347 86354->86347 86355->86360 86372 604a4df0 ReleaseSRWLockExclusive 86355->86372 86356 604a4c6a 86358 604a4c90 TryAcquireSRWLockExclusive 86356->86358 86366 604a4be5 86356->86366 86357->86356 86357->86366 86456 604a2c10 352 API calls CatchGuardHandler 86357->86456 86363 604a4cb3 86358->86363 86364 604a4e01 86358->86364 86359 604a4ee4 ReleaseSRWLockExclusive 86359->86366 86360->86359 86363->86366 86368 604a0d00 350 API calls 86363->86368 86458 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86364->86458 86366->86328 86367 604a4c33 86366->86367 86369 604a4d1f ReleaseSRWLockExclusive 86366->86369 86367->86328 86367->86350 86370 604a4cd6 86368->86370 86369->86366 86370->86366 86370->86372 86371->86227 86372->86227 86465 604a52b0 373 API calls 2 library calls 86373->86465 86376 604a52a1 86376->86227 86377->86227 86379 604a15a6 86378->86379 86406 604a0d32 86378->86406 86380 604a1979 86379->86380 86381 604a15c0 ReleaseSRWLockExclusive 86379->86381 86403 604a1960 86379->86403 86383 604a198b ReleaseSRWLockExclusive 86380->86383 86395 604a0dfb 86380->86395 86385 604a161c 86381->86385 86382 604a0fa8 86384 604cdc48 CatchGuardHandler 5 API calls 86382->86384 86529 604fd0a0 241 API calls 86383->86529 86389 604a0fd7 86384->86389 86385->86385 86391 60467330 307 API calls 86385->86391 86387 604a0e12 86387->86382 86392 604a0f7b 86387->86392 86393 604a0fe7 86387->86393 86388 604a12d7 86388->86382 86396 604a1949 ReleaseSRWLockExclusive 86388->86396 86389->86289 86390 604a182c 86530 604fcf80 247 API calls 86390->86530 86397 604a163e 86391->86397 86392->86382 86415 604a10d7 86392->86415 86467 604a07f0 86393->86467 86395->86387 86395->86388 86395->86403 86528 604fd100 247 API calls 86396->86528 86399 604a1816 86397->86399 86418 604a0f54 86397->86418 86399->86390 86402 604a17b9 TryAcquireSRWLockExclusive 86399->86402 86400 604a19a8 86531 604fcfb0 247 API calls 86400->86531 86401 604a0dc5 86401->86382 86401->86387 86401->86395 86505 60467330 86401->86505 86402->86395 86405 604a180d 86402->86405 86403->86289 86520 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86405->86520 86406->86401 86406->86415 86406->86418 86411 604a19b4 ReleaseSRWLockExclusive 86532 604fcf80 247 API calls 86411->86532 86417 604a10e2 86415->86417 86527 604fd250 VirtualFree GetLastError 86415->86527 86416 604a1929 86416->86289 86418->86387 86418->86400 86419 604a07f0 30 API calls 86418->86419 86420 604a175a 86419->86420 86421 604a1831 TryAcquireSRWLockExclusive 86420->86421 86433 604a1765 86420->86433 86422 604a1848 86421->86422 86423 604a183f 86421->86423 86522 604fd250 VirtualFree GetLastError 86422->86522 86521 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86423->86521 86426 604a1850 ReleaseSRWLockExclusive 86427 604a07f0 30 API calls 86426->86427 86428 604a186c 86427->86428 86428->86400 86429 604a1885 86428->86429 86428->86433 86523 604a0060 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TryAcquireSRWLockExclusive AcquireSRWLockExclusive __DllMainCRTStartup@12 86429->86523 86431 604a18c3 86524 60466560 86431->86524 86433->86402 86435 60467518 _unexpected 86434->86435 86704 604a2010 TryAcquireSRWLockExclusive 86435->86704 86439 604cdc50 86438->86439 86440 604cdc51 IsProcessorFeaturePresent 86438->86440 86439->86276 86442 604ce0a5 86440->86442 86728 604ce18a SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 86442->86728 86444 604ce188 86444->86276 86445->86267 86446->86269 86447->86252 86448->86249 86449->86283 86450->86284 86451->86297 86452->86296 86453->86277 86454->86346 86455->86357 86456->86356 86457->86366 86458->86372 86459->86337 86460->86320 86461->86323 86462->86314 86463->86314 86465->86376 86466->86373 86468 604a0804 86467->86468 86469 604a08de 86468->86469 86470 604a0809 VirtualAlloc 86468->86470 86471 604a0828 86468->86471 86472 604a08e1 GetLastError 86469->86472 86470->86471 86473 604a0824 86470->86473 86471->86415 86474 604a08fd Sleep VirtualAlloc 86472->86474 86475 604a08f2 86472->86475 86473->86471 86476 604a084d GetLastError 86473->86476 86474->86471 86477 604a091d GetLastError 86474->86477 86475->86471 86475->86474 86478 604a085e 86476->86478 86479 604a0865 Sleep VirtualAlloc 86476->86479 86480 604a0939 Sleep VirtualAlloc 86477->86480 86481 604a092e 86477->86481 86478->86471 86478->86479 86479->86471 86482 604a0881 GetLastError 86479->86482 86480->86471 86483 604a0959 GetLastError 86480->86483 86481->86471 86481->86480 86487 604a089e Sleep VirtualAlloc 86482->86487 86488 604a08d1 86482->86488 86485 604a096a 86483->86485 86486 604a0975 Sleep VirtualAlloc 86483->86486 86485->86471 86485->86486 86486->86471 86489 604a0995 GetLastError 86486->86489 86487->86471 86490 604a08be 86487->86490 86488->86471 86488->86487 86491 604a09b1 Sleep VirtualAlloc 86489->86491 86492 604a09a6 86489->86492 86490->86472 86491->86471 86493 604a09d1 GetLastError 86491->86493 86492->86471 86492->86491 86494 604a09ed Sleep VirtualAlloc 86493->86494 86495 604a09e2 86493->86495 86494->86471 86496 604a0a0d GetLastError 86494->86496 86495->86471 86495->86494 86497 604a0a29 Sleep VirtualAlloc 86496->86497 86498 604a0a1e 86496->86498 86497->86471 86499 604a0a49 GetLastError 86497->86499 86498->86471 86498->86497 86500 604a0a5a 86499->86500 86501 604a0a65 Sleep VirtualAlloc 86499->86501 86500->86471 86500->86501 86501->86471 86502 604a0a85 GetLastError 86501->86502 86503 604a0aa1 Sleep 86502->86503 86504 604a0a96 86502->86504 86503->86415 86504->86471 86504->86503 86506 60467343 86505->86506 86533 60466530 86506->86533 86508 6046736b 86508->86395 86508->86411 86509 60467354 86509->86508 86536 6049ffb0 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TryAcquireSRWLockExclusive AcquireSRWLockExclusive __DllMainCRTStartup@12 86509->86536 86511 604673e1 86511->86508 86511->86509 86513 6046746d 86511->86513 86512 60466560 241 API calls 86514 6046734d 86512->86514 86518 60466560 241 API calls 86513->86518 86514->86509 86514->86512 86516 604673ab 86514->86516 86517 60466530 305 API calls 86514->86517 86515 60466560 241 API calls 86515->86516 86516->86508 86516->86511 86516->86515 86519 60466530 305 API calls 86516->86519 86517->86514 86518->86508 86519->86516 86520->86395 86521->86422 86522->86426 86523->86431 86600 60466ad0 VirtualFree 86524->86600 86526 6046656e 86526->86433 86527->86416 86528->86403 86537 60467300 86533->86537 86536->86508 86540 60466b90 86537->86540 86541 60466c39 86540->86541 86556 60466baf 86540->86556 86597 604a0110 13 API calls 86541->86597 86543 60466bd4 VirtualAlloc 86543->86556 86544 604670de GetLastError 86547 604670fa Sleep VirtualAlloc 86544->86547 86544->86556 86545 60466c6d GetLastError 86545->86556 86570 60466c3e 86545->86570 86546 6046654a 86546->86514 86549 6046711c GetLastError 86547->86549 86547->86556 86548 60466c4b VirtualFree 86548->86556 86551 60467138 Sleep VirtualAlloc 86549->86551 86549->86570 86554 6046715a GetLastError 86551->86554 86551->86556 86552 60466e41 GetLastError 86553 60466e5d Sleep VirtualAlloc 86552->86553 86552->86556 86553->86556 86557 60466e7f 86553->86557 86555 60467176 Sleep VirtualAlloc 86554->86555 86554->86570 86555->86556 86558 60467198 GetLastError 86555->86558 86556->86543 86556->86544 86556->86545 86556->86546 86556->86547 86556->86548 86556->86552 86556->86553 86559 60466ccb VirtualAlloc 86556->86559 86557->86544 86560 604671b4 Sleep VirtualAlloc 86558->86560 86558->86570 86559->86570 86560->86556 86562 604671d6 GetLastError 86560->86562 86561 60466d7a 86561->86546 86565 604671f2 Sleep VirtualAlloc 86562->86565 86562->86570 86563 60466d89 GetLastError 86598 604fcf10 TryAcquireSRWLockExclusive AcquireSRWLockExclusive TryAcquireSRWLockExclusive VirtualFree ReleaseSRWLockExclusive 86563->86598 86565->86556 86567 60467214 GetLastError 86565->86567 86566 60466d3a VirtualFree 86566->86556 86566->86570 86569 60467230 Sleep VirtualAlloc 86567->86569 86567->86570 86568 60466e84 GetLastError 86568->86570 86571 60466ea0 Sleep VirtualAlloc 86568->86571 86569->86556 86573 60467252 GetLastError 86569->86573 86570->86545 86570->86546 86570->86551 86570->86555 86570->86556 86570->86560 86570->86561 86570->86563 86570->86565 86570->86566 86570->86568 86570->86569 86570->86571 86572 60466800 241 API calls 86570->86572 86575 6046726e Sleep VirtualAlloc 86570->86575 86576 60466edd Sleep VirtualAlloc 86570->86576 86579 60466f1a Sleep VirtualAlloc 86570->86579 86580 604672ac Sleep VirtualAlloc 86570->86580 86583 604672ea Sleep 86570->86583 86584 60466f57 Sleep VirtualAlloc 86570->86584 86586 60466f94 Sleep VirtualAlloc 86570->86586 86588 60466fd1 Sleep VirtualAlloc 86570->86588 86590 6046700e Sleep VirtualAlloc 86570->86590 86592 6046704b Sleep VirtualAlloc 86570->86592 86594 60467088 Sleep VirtualAlloc 86570->86594 86596 604670c5 Sleep 86570->86596 86599 604fcf10 TryAcquireSRWLockExclusive AcquireSRWLockExclusive TryAcquireSRWLockExclusive VirtualFree ReleaseSRWLockExclusive 86570->86599 86571->86570 86574 60466ec1 GetLastError 86571->86574 86572->86570 86573->86570 86573->86575 86574->86570 86574->86576 86575->86556 86577 60467290 GetLastError 86575->86577 86576->86570 86578 60466efe GetLastError 86576->86578 86577->86570 86577->86580 86578->86570 86578->86579 86579->86570 86582 60466f3b GetLastError 86579->86582 86580->86556 86581 604672ce GetLastError 86580->86581 86581->86570 86581->86583 86582->86570 86582->86584 86583->86545 86584->86570 86585 60466f78 GetLastError 86584->86585 86585->86570 86585->86586 86586->86570 86587 60466fb5 GetLastError 86586->86587 86587->86570 86587->86588 86588->86570 86589 60466ff2 GetLastError 86588->86589 86589->86570 86589->86590 86590->86570 86591 6046702f GetLastError 86590->86591 86591->86570 86591->86592 86592->86570 86593 6046706c GetLastError 86592->86593 86593->86570 86593->86594 86594->86570 86595 604670a9 GetLastError 86594->86595 86595->86570 86595->86596 86596->86563 86597->86570 86598->86570 86599->86570 86601 60466ae7 86600->86601 86605 60466af3 86600->86605 86601->86526 86602 60466b67 VirtualFree 86604 60466b78 GetLastError 86602->86604 86615 60466b2e 86602->86615 86607 60466b31 86604->86607 86604->86615 86605->86602 86606 60466b37 GetLastError 86605->86606 86605->86615 86665 60466590 VirtualAlloc 86605->86665 86700 604fced0 241 API calls 86605->86700 86606->86605 86606->86607 86609 60466c39 86607->86609 86607->86615 86621 60466baf 86607->86621 86701 604a0110 13 API calls 86609->86701 86611 60466bd4 VirtualAlloc 86611->86621 86612 604670de GetLastError 86614 604670fa Sleep VirtualAlloc 86612->86614 86612->86621 86613 60466c6d GetLastError 86613->86621 86637 60466c3e 86613->86637 86617 6046711c GetLastError 86614->86617 86614->86621 86615->86526 86616 60466c4b VirtualFree 86616->86621 86619 60467138 Sleep VirtualAlloc 86617->86619 86617->86637 86619->86621 86623 6046715a GetLastError 86619->86623 86620 60466e41 GetLastError 86620->86621 86622 60466e5d Sleep VirtualAlloc 86620->86622 86621->86611 86621->86612 86621->86613 86621->86614 86621->86615 86621->86616 86621->86620 86621->86622 86627 60466ccb VirtualAlloc 86621->86627 86622->86621 86625 60466e7f 86622->86625 86624 60467176 Sleep VirtualAlloc 86623->86624 86623->86637 86624->86621 86626 60467198 GetLastError 86624->86626 86625->86612 86628 604671b4 Sleep VirtualAlloc 86626->86628 86626->86637 86627->86637 86628->86621 86630 604671d6 GetLastError 86628->86630 86629 60466d7a 86629->86615 86633 604671f2 Sleep VirtualAlloc 86630->86633 86630->86637 86631 60466d89 GetLastError 86702 604fcf10 TryAcquireSRWLockExclusive AcquireSRWLockExclusive TryAcquireSRWLockExclusive VirtualFree ReleaseSRWLockExclusive 86631->86702 86633->86621 86635 60467214 GetLastError 86633->86635 86634 60466d3a VirtualFree 86634->86621 86634->86637 86635->86637 86639 60467230 Sleep VirtualAlloc 86635->86639 86636 60466e84 GetLastError 86636->86637 86640 60466ea0 Sleep VirtualAlloc 86636->86640 86637->86613 86637->86615 86637->86619 86637->86621 86637->86624 86637->86628 86637->86629 86637->86631 86637->86633 86637->86634 86637->86636 86638 60466800 173 API calls 86637->86638 86637->86639 86637->86640 86643 6046726e Sleep VirtualAlloc 86637->86643 86644 60466edd Sleep VirtualAlloc 86637->86644 86647 60466f1a Sleep VirtualAlloc 86637->86647 86648 604672ac Sleep VirtualAlloc 86637->86648 86651 604672ea Sleep 86637->86651 86652 60466f57 Sleep VirtualAlloc 86637->86652 86654 60466f94 Sleep VirtualAlloc 86637->86654 86656 60466fd1 Sleep VirtualAlloc 86637->86656 86658 6046700e Sleep VirtualAlloc 86637->86658 86660 6046704b Sleep VirtualAlloc 86637->86660 86662 60467088 Sleep VirtualAlloc 86637->86662 86664 604670c5 Sleep 86637->86664 86703 604fcf10 TryAcquireSRWLockExclusive AcquireSRWLockExclusive TryAcquireSRWLockExclusive VirtualFree ReleaseSRWLockExclusive 86637->86703 86638->86637 86639->86621 86641 60467252 GetLastError 86639->86641 86640->86637 86642 60466ec1 GetLastError 86640->86642 86641->86637 86641->86643 86642->86637 86642->86644 86643->86621 86645 60467290 GetLastError 86643->86645 86644->86637 86646 60466efe GetLastError 86644->86646 86645->86637 86645->86648 86646->86637 86646->86647 86647->86637 86650 60466f3b GetLastError 86647->86650 86648->86621 86649 604672ce GetLastError 86648->86649 86649->86637 86649->86651 86650->86637 86650->86652 86651->86613 86652->86637 86653 60466f78 GetLastError 86652->86653 86653->86637 86653->86654 86654->86637 86655 60466fb5 GetLastError 86654->86655 86655->86637 86655->86656 86656->86637 86657 60466ff2 GetLastError 86656->86657 86657->86637 86657->86658 86658->86637 86659 6046702f GetLastError 86658->86659 86659->86637 86659->86660 86660->86637 86661 6046706c GetLastError 86660->86661 86661->86637 86661->86662 86662->86637 86663 604670a9 GetLastError 86662->86663 86663->86637 86663->86664 86664->86631 86666 604665b5 86665->86666 86670 604665c7 86665->86670 86667 604665d0 GetLastError 86666->86667 86666->86670 86668 604665e1 86667->86668 86669 604665e8 Sleep VirtualAlloc 86667->86669 86668->86669 86668->86670 86669->86670 86671 60466602 GetLastError 86669->86671 86670->86605 86673 60466604 Sleep VirtualAlloc 86671->86673 86674 60466631 86671->86674 86673->86670 86675 6046661e GetLastError 86673->86675 86674->86670 86674->86673 86677 60466656 Sleep VirtualAlloc 86675->86677 86678 6046664b 86675->86678 86677->86670 86679 60466674 GetLastError 86677->86679 86678->86670 86678->86677 86680 60466685 86679->86680 86681 60466690 Sleep VirtualAlloc 86679->86681 86680->86670 86680->86681 86681->86670 86682 604666ae GetLastError 86681->86682 86683 604666bf 86682->86683 86684 604666ca Sleep VirtualAlloc 86682->86684 86683->86670 86683->86684 86684->86670 86685 604666e8 GetLastError 86684->86685 86686 60466704 Sleep VirtualAlloc 86685->86686 86687 604666f9 86685->86687 86686->86670 86688 60466722 GetLastError 86686->86688 86687->86670 86687->86686 86689 60466733 86688->86689 86690 6046673e Sleep VirtualAlloc 86688->86690 86689->86670 86689->86690 86690->86670 86691 6046675c GetLastError 86690->86691 86692 6046676d 86691->86692 86693 60466778 Sleep VirtualAlloc 86691->86693 86692->86670 86692->86693 86693->86670 86694 60466796 GetLastError 86693->86694 86695 604667a7 86694->86695 86696 604667b2 Sleep VirtualAlloc 86694->86696 86695->86670 86695->86696 86696->86670 86697 604667d0 GetLastError 86696->86697 86698 604667e1 86697->86698 86699 604667ec Sleep 86697->86699 86698->86670 86698->86699 86699->86605 86701->86637 86702->86637 86703->86637 86705 604a219e 86704->86705 86706 604a2032 86704->86706 86726 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86705->86726 86708 604a2042 86706->86708 86709 604a21b4 ReleaseSRWLockExclusive 86706->86709 86711 60467300 305 API calls 86708->86711 86713 604a20aa 86708->86713 86710 60467598 86709->86710 86710->86308 86712 604a206e 86711->86712 86716 60467300 305 API calls 86712->86716 86714 604a21c5 86713->86714 86725 60467620 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TlsAlloc TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86713->86725 86718 604a2082 86716->86718 86717 604a21b2 86719 604a2159 ReleaseSRWLockExclusive 86717->86719 86720 60467300 305 API calls 86718->86720 86719->86710 86721 604a2096 86720->86721 86722 60467300 305 API calls 86721->86722 86722->86713 86724 604a214c 86724->86719 86727 60467680 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TlsAlloc TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86724->86727 86725->86724 86726->86724 86727->86717 86728->86444 86734 604a5db4 86729->86734 86741 604a5f03 86729->86741 86730 604a5f8b TryAcquireSRWLockExclusive 86732 604a5fa5 86730->86732 86742 604a604d _unexpected 86730->86742 86736 604a6000 ReleaseSRWLockExclusive 86732->86736 86732->86741 86744 604a1a20 86732->86744 86734->86730 86738 604a5ecd 86734->86738 86740 604a5e44 86734->86740 86734->86741 86734->86742 86735 604a5ef7 86735->86741 86762 604a31a0 241 API calls CatchGuardHandler 86735->86762 86736->86741 86738->86735 86760 604a2e10 241 API calls CatchGuardHandler 86738->86760 86740->86730 86741->86234 86761 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86742->86761 86745 604a1a33 86744->86745 86746 604a1a89 86745->86746 86747 604a1c6e ReleaseSRWLockExclusive 86745->86747 86748 604a1c47 86745->86748 86750 604a1bdf 86746->86750 86767 604a07c0 VirtualFree 86746->86767 86751 604a1ce0 _unexpected 86747->86751 86748->86736 86750->86748 86763 604a1fa0 86750->86763 86770 604a0060 TryAcquireSRWLockExclusive ReleaseSRWLockExclusive TryAcquireSRWLockExclusive AcquireSRWLockExclusive __DllMainCRTStartup@12 86751->86770 86754 604a1d50 86756 60466560 239 API calls 86754->86756 86757 604a1d5f TryAcquireSRWLockExclusive 86756->86757 86757->86748 86758 604a1d71 86757->86758 86771 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 86758->86771 86760->86735 86761->86732 86762->86742 86764 604a1fbb 86763->86764 86765 604a1ffd 86764->86765 86772 604a1d80 86764->86772 86765->86748 86768 604a07da GetLastError 86767->86768 86769 604a07d8 86767->86769 86768->86769 86769->86750 86770->86754 86771->86748 86773 604a1e3f 86772->86773 86774 604a1d92 86772->86774 86773->86764 86774->86773 86775 604a07c0 2 API calls 86774->86775 86775->86773 86776 6047dc00 86777 6047dd36 _unexpected 86776->86777 86804 6047dc22 86776->86804 86780 6047dd67 GetModuleFileNameW 86777->86780 86778 604cdc48 CatchGuardHandler 5 API calls 86779 6047dc2c 86778->86779 86781 6047e9de 86780->86781 86783 6047dd80 86780->86783 86860 604fabb0 86781->86860 86783->86804 86829 604e3045 86783->86829 86786 6047e9f6 86822 6047e170 __DllMainCRTStartup@12 86786->86822 86864 60473820 86786->86864 86788 6047e05b 86839 604e4683 471 API calls ___std_exception_copy 86788->86839 86790 6047dc53 86833 60489eb0 372 API calls __DllMainCRTStartup@12 86790->86833 86792 6047dc65 86834 60489f10 477 API calls 2 library calls 86792->86834 86794 6047e061 CatchIt 86794->86790 86794->86822 86840 604b32c0 372 API calls 86794->86840 86795 60485c50 372 API calls 86809 6047ddd4 _unexpected __DllMainCRTStartup@12 _strlen 86795->86809 86796 6047dc87 86797 6047dc9c 86796->86797 86835 6047f240 372 API calls 86796->86835 86836 60489f10 477 API calls 2 library calls 86797->86836 86801 6047dcaf 86801->86804 86837 6047f350 372 API calls 3 library calls 86801->86837 86803 6047e0c0 CatchIt 86803->86790 86803->86822 86841 604b32c0 372 API calls 86803->86841 86804->86778 86806 6047dc39 CatchIt 86806->86790 86806->86822 86832 604b32c0 372 API calls 86806->86832 86808 60472f20 372 API calls 86808->86809 86809->86788 86809->86795 86809->86804 86809->86808 86810 6047e4cb 86809->86810 86809->86822 86838 604e4b3b 471 API calls 4 library calls 86809->86838 86810->86822 86842 6047f770 372 API calls 3 library calls 86810->86842 86812 6047e570 86813 6047e5ac 86812->86813 86843 604aaea0 372 API calls 2 library calls 86812->86843 86844 604807c0 372 API calls 2 library calls 86813->86844 86816 6047e607 86845 604ab6e0 372 API calls 2 library calls 86816->86845 86818 6047e661 86846 604ab6e0 372 API calls 2 library calls 86818->86846 86820 6047e6af 86823 6047e74e 86820->86823 86847 604ab6e0 372 API calls 2 library calls 86820->86847 86823->86822 86848 604ccec7 86823->86848 86825 6047e7c1 CatchIt 86825->86822 86858 604ab6e0 372 API calls 2 library calls 86825->86858 86827 6047e865 86859 604ab6e0 372 API calls 2 library calls 86827->86859 86872 604e305c 86829->86872 86832->86790 86833->86792 86834->86796 86835->86797 86836->86801 86837->86804 86838->86809 86839->86794 86840->86803 86841->86806 86842->86812 86843->86813 86844->86816 86845->86818 86846->86820 86847->86823 86850 604ccecc 86848->86850 86851 604ccee6 86850->86851 86853 604ccee8 __DllMainCRTStartup@12 86850->86853 87082 604a35b0 86850->87082 87087 604db807 EnterCriticalSection LeaveCriticalSection ___tlregdtor 86850->87087 86851->86825 86857 604cdc2a __DllMainCRTStartup@12 86853->86857 87088 604ce89e RaiseException 86853->87088 86855 604cdc47 87089 604ce89e RaiseException 86857->87089 86858->86827 86859->86822 86861 604fabc2 __DllMainCRTStartup@12 86860->86861 86863 604fabf5 CatchIt __DllMainCRTStartup@12 86860->86863 86862 604ccec7 __DllMainCRTStartup@12 372 API calls 86861->86862 86861->86863 86862->86863 86863->86786 86866 60473858 CatchIt __DllMainCRTStartup@12 86864->86866 86865 604738b1 86865->86786 86866->86865 86867 604ccec7 __DllMainCRTStartup@12 372 API calls 86866->86867 86869 60473a23 __DllMainCRTStartup@12 86866->86869 86867->86869 86868 60473a56 CatchIt 86868->86786 86869->86868 87127 604e8218 484 API calls 3 library calls 86869->87127 86871 604ced96 86871->86786 86874 604e3068 ___scrt_is_nonwritable_in_current_image 86872->86874 86873 604e306f 86905 604de56c 405 API calls __dosmaperr 86873->86905 86874->86873 86876 604e3091 86874->86876 86878 604e3096 86876->86878 86879 604e30a3 86876->86879 86877 604e3074 86906 604eb592 469 API calls ___std_exception_copy 86877->86906 86907 604de56c 405 API calls __dosmaperr 86878->86907 86891 604efff8 86879->86891 86881 604e3057 86881->86809 86885 604e30bf 86899 604f2fd9 86885->86899 86886 604e30b2 86908 604de56c 405 API calls __dosmaperr 86886->86908 86892 604f0004 ___scrt_is_nonwritable_in_current_image 86891->86892 86910 604eaad1 EnterCriticalSection 86892->86910 86894 604f0012 86911 604f009c 86894->86911 86900 604f2fe4 86899->86900 86932 604de730 86900->86932 86904 604e30d2 86909 604e30fb LeaveCriticalSection ___scrt_uninitialize_crt 86904->86909 86905->86877 86906->86881 86907->86881 86908->86881 86909->86881 86910->86894 86912 604f00bf 86911->86912 86913 604f0117 86912->86913 86920 604f001f 86912->86920 86927 604d1d14 EnterCriticalSection 86912->86927 86928 604d1d28 LeaveCriticalSection 86912->86928 86914 604a36a0 __dosmaperr 401 API calls 86913->86914 86915 604f0120 86914->86915 86917 604a3600 ___std_exception_destroy 241 API calls 86915->86917 86918 604f0129 86917->86918 86918->86920 86929 604ea54c 6 API calls __dosmaperr 86918->86929 86924 604f0058 86920->86924 86921 604f0148 86930 604d1d14 EnterCriticalSection 86921->86930 86931 604eaae8 LeaveCriticalSection 86924->86931 86926 604e30ac 86926->86885 86926->86886 86927->86912 86928->86912 86929->86921 86930->86920 86931->86926 86938 604de75e ___vcrt_FlsSetValue 86932->86938 86933 604de8ae 86937 604de8b9 86933->86937 86950 604de56c 405 API calls __dosmaperr 86933->86950 86935 604de989 86951 604eb592 469 API calls ___std_exception_copy 86935->86951 86937->86904 86944 604e090a 86937->86944 86938->86933 86947 604e2ed7 470 API calls 3 library calls 86938->86947 86940 604de916 86940->86933 86948 604e2ed7 470 API calls 3 library calls 86940->86948 86942 604de934 86942->86933 86949 604e2ed7 470 API calls 3 library calls 86942->86949 86952 604e0c54 86944->86952 86947->86940 86948->86942 86949->86933 86950->86935 86951->86937 86955 604e0c60 ___scrt_is_nonwritable_in_current_image 86952->86955 86953 604e0c67 87010 604de56c 405 API calls __dosmaperr 86953->87010 86955->86953 86957 604e0c92 86955->86957 86956 604e0c6c 87011 604eb592 469 API calls ___std_exception_copy 86956->87011 86963 604e092a 86957->86963 86961 604e0925 86961->86904 87013 604e0dc4 86963->87013 86966 604e095c 87045 604de57f 405 API calls __dosmaperr 86966->87045 86967 604e0975 87031 604df1b4 86967->87031 86971 604e099a 87044 604e0d2f CreateFileW 86971->87044 86972 604e0983 87047 604de57f 405 API calls __dosmaperr 86972->87047 86976 604e0988 87048 604de56c 405 API calls __dosmaperr 86976->87048 86978 604e09d3 86979 604e0a50 GetFileType 86978->86979 86983 604e0a25 GetLastError 86978->86983 87049 604e0d2f CreateFileW 86978->87049 86980 604e0a5b GetLastError 86979->86980 86981 604e0aa2 86979->86981 87051 604de592 405 API calls __dosmaperr 86980->87051 87053 604df358 406 API calls 2 library calls 86981->87053 86982 604e0961 87046 604de56c 405 API calls __dosmaperr 86982->87046 87050 604de592 405 API calls __dosmaperr 86983->87050 86987 604e0a69 CloseHandle 86987->86982 86990 604e0a92 86987->86990 86988 604e0a18 86988->86979 86988->86983 87052 604de56c 405 API calls __dosmaperr 86990->87052 86991 604e0ac3 86993 604e0b0f 86991->86993 87054 604e0f3e 469 API calls 2 library calls 86991->87054 86998 604e0b16 86993->86998 87056 604e0fe8 469 API calls 2 library calls 86993->87056 86994 604e0a97 86994->86982 86997 604e0b44 86997->86998 86999 604e0b52 86997->86999 87055 604dbde4 469 API calls 2 library calls 86998->87055 87000 604e096e 86999->87000 87002 604e0bce CloseHandle 86999->87002 87012 604e0ce9 LeaveCriticalSection _unexpected 87000->87012 87057 604e0d2f CreateFileW 87002->87057 87004 604e0bf9 87005 604e0c2f 87004->87005 87006 604e0c03 GetLastError 87004->87006 87005->87000 87058 604de592 405 API calls __dosmaperr 87006->87058 87008 604e0c0f 87059 604df2c7 406 API calls 2 library calls 87008->87059 87010->86956 87011->86961 87012->86961 87014 604e0de5 87013->87014 87020 604e0dff 87013->87020 87014->87020 87067 604de56c 405 API calls __dosmaperr 87014->87067 87017 604e0df4 87068 604eb592 469 API calls ___std_exception_copy 87017->87068 87019 604e0e37 87021 604e0e66 87019->87021 87069 604de56c 405 API calls __dosmaperr 87019->87069 87060 604e0d54 87020->87060 87028 604e0947 87021->87028 87071 604ecaad 469 API calls 2 library calls 87021->87071 87024 604e0eb4 87026 604e0f31 87024->87026 87024->87028 87025 604e0e5b 87070 604eb592 469 API calls ___std_exception_copy 87025->87070 87072 604eb5a2 11 API calls _unexpected 87026->87072 87028->86966 87028->86967 87030 604e0f3d 87032 604df1c0 ___scrt_is_nonwritable_in_current_image 87031->87032 87075 604eaad1 EnterCriticalSection 87032->87075 87034 604df20e 87076 604df2be 87034->87076 87035 604df1ec 87079 604df3ea 402 API calls 3 library calls 87035->87079 87036 604df1c7 87036->87034 87036->87035 87041 604df25b EnterCriticalSection 87036->87041 87040 604df1f1 87040->87034 87080 604df538 EnterCriticalSection 87040->87080 87041->87034 87042 604df268 LeaveCriticalSection 87041->87042 87042->87036 87044->86978 87045->86982 87046->87000 87047->86976 87048->86982 87049->86988 87050->86982 87051->86987 87052->86994 87053->86991 87054->86993 87055->87000 87056->86997 87057->87004 87058->87008 87059->87005 87062 604e0d6c 87060->87062 87061 604e0d87 87061->87019 87062->87061 87073 604de56c 405 API calls __dosmaperr 87062->87073 87064 604e0dab 87074 604eb592 469 API calls ___std_exception_copy 87064->87074 87066 604e0db6 87066->87019 87067->87017 87068->87020 87069->87025 87070->87021 87071->87024 87072->87030 87073->87064 87074->87066 87075->87036 87081 604eaae8 LeaveCriticalSection 87076->87081 87078 604df22e 87078->86971 87078->86972 87079->87040 87080->87034 87081->87078 87083 604a35bf 87082->87083 87084 604a35e6 87083->87084 87090 604a36f0 87083->87090 87121 604fd6a0 EnterCriticalSection LeaveCriticalSection ___tlregdtor 87083->87121 87084->86850 87087->86850 87088->86857 87089->86855 87091 604a3b4e 87090->87091 87093 604a3717 87090->87093 87126 604fd620 313 API calls CatchGuardHandler 87091->87126 87094 604a38be TryAcquireSRWLockExclusive 87093->87094 87096 604a3b44 87093->87096 87099 604a37e3 87093->87099 87116 604a3b5e 87093->87116 87095 604a3b02 87094->87095 87102 604a38e0 87094->87102 87103 604a3be2 ReleaseSRWLockExclusive 87095->87103 87124 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 87095->87124 87125 604675a0 356 API calls 87096->87125 87108 604a3803 87099->87108 87113 604a389f TryAcquireSRWLockExclusive 87099->87113 87122 604a2c10 352 API calls CatchGuardHandler 87099->87122 87100 604a0d00 350 API calls 87100->87095 87101 604a3ad3 87123 604a2760 TryAcquireSRWLockExclusive AcquireSRWLockExclusive 87101->87123 87102->87101 87104 604a392a ReleaseSRWLockExclusive 87102->87104 87111 604a3ae5 87102->87111 87102->87116 87104->87113 87108->87116 87117 604a3823 87108->87117 87109 604a39b3 87110 604a39c7 87109->87110 87114 604a0d00 350 API calls 87109->87114 87110->87103 87110->87116 87118 604a3a06 ReleaseSRWLockExclusive 87110->87118 87111->87100 87112 604a388f 87112->87108 87112->87113 87113->87101 87113->87109 87114->87110 87116->87103 87119 604cdc48 CatchGuardHandler 5 API calls 87117->87119 87120 604a3869 87119->87120 87120->87083 87121->87083 87122->87112 87123->87111 87124->87096 87125->87091 87126->87116 87127->86871 87128 604ce750 87129 604ce75e 87128->87129 87130 604ce759 87128->87130 87134 604ce63e 87129->87134 87149 604ce773 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter ___get_entropy 87130->87149 87135 604ce64a ___scrt_is_nonwritable_in_current_image 87134->87135 87136 604ce673 dllmain_raw 87135->87136 87137 604ce66e 87135->87137 87146 604ce659 87135->87146 87138 604ce68d dllmain_crt_dispatch 87136->87138 87136->87146 87150 604615d0 87137->87150 87138->87137 87138->87146 87141 604ce6df 87142 604ce6e8 dllmain_crt_dispatch 87141->87142 87141->87146 87144 604ce6fb dllmain_raw 87142->87144 87142->87146 87143 604615d0 __DllMainCRTStartup@12 589 API calls 87145 604ce6c6 87143->87145 87144->87146 87170 604ce502 516 API calls 4 library calls 87145->87170 87148 604ce6d4 dllmain_raw 87148->87141 87149->87129 87151 60461626 87150->87151 87152 6046160b 87150->87152 87171 604740e0 87151->87171 87154 60461610 87152->87154 87179 60477270 87152->87179 87154->87141 87154->87143 87158 60461637 __DllMainCRTStartup@12 87159 6046164b 87158->87159 87162 60461640 __DllMainCRTStartup@12 87158->87162 87199 604616b0 87159->87199 87161 60461657 87219 604617d0 87161->87219 87162->87154 87274 60474080 87162->87274 87167 60461674 87280 60511770 400 API calls __DllMainCRTStartup@12 87167->87280 87169 60461679 87169->87154 87170->87148 87172 604740ee 87171->87172 87173 604740f7 87171->87173 87172->87173 87178 60474129 __DllMainCRTStartup@12 87172->87178 87175 60474115 87173->87175 87281 6047d790 9 API calls 2 library calls 87173->87281 87175->87154 87176 604cdc48 CatchGuardHandler 5 API calls 87177 6047418c 87176->87177 87177->87154 87178->87176 87180 604ccec7 __DllMainCRTStartup@12 372 API calls 87179->87180 87181 6047728d _unexpected 87180->87181 87182 604772b2 GetModuleFileNameW 87181->87182 87183 604772c2 __DllMainCRTStartup@12 87182->87183 87282 60477340 87183->87282 87185 604772f8 __DllMainCRTStartup@12 87186 604cdc48 CatchGuardHandler 5 API calls 87185->87186 87187 60461632 87186->87187 87188 60475d10 87187->87188 87189 604fabb0 __DllMainCRTStartup@12 372 API calls 87188->87189 87190 60475d40 GetCommandLineW 87189->87190 87191 604fabb0 __DllMainCRTStartup@12 372 API calls 87190->87191 87192 60475d51 87191->87192 87460 60475dc0 87192->87460 87194 60475d59 87470 60475fa0 87194->87470 87196 604cdc48 CatchGuardHandler 5 API calls 87198 60475d9d 87196->87198 87197 60475d7d 87197->87196 87198->87158 87498 60475cd0 87199->87498 87201 604616da __DllMainCRTStartup@12 87202 60473820 __DllMainCRTStartup@12 489 API calls 87201->87202 87203 604616f4 87202->87203 87204 60474fa0 __DllMainCRTStartup@12 501 API calls 87203->87204 87205 6046170e 87204->87205 87206 6046173a 87205->87206 87207 60461728 87205->87207 87503 60475120 14 API calls __DllMainCRTStartup@12 87206->87503 87208 604cdc48 CatchGuardHandler 5 API calls 87207->87208 87210 60461732 87208->87210 87210->87161 87211 60461742 SetProcessMitigationPolicy 87212 60461760 87211->87212 87213 6046176d 87211->87213 87214 60461765 87212->87214 87215 60461781 87212->87215 87216 604ccec7 __DllMainCRTStartup@12 372 API calls 87213->87216 87214->87207 87217 604ccec7 __DllMainCRTStartup@12 372 API calls 87215->87217 87218 60461799 87215->87218 87216->87214 87217->87218 87218->87161 87220 60475cd0 __DllMainCRTStartup@12 489 API calls 87219->87220 87221 604617f3 __DllMainCRTStartup@12 87220->87221 87222 60473820 __DllMainCRTStartup@12 489 API calls 87221->87222 87223 6046180d 87222->87223 87518 604741c0 87223->87518 87225 60461823 87226 604618a0 87225->87226 87563 604754a0 386 API calls 2 library calls 87225->87563 87228 604cdc48 CatchGuardHandler 5 API calls 87226->87228 87230 6046165c 87228->87230 87229 60461852 87231 6046185b 87229->87231 87244 60461890 87229->87244 87230->87154 87245 60462e60 87230->87245 87234 60461867 87231->87234 87235 604618b8 87231->87235 87231->87244 87233 6046189d 87233->87226 87564 60475700 15 API calls 2 library calls 87234->87564 87567 604754a0 386 API calls 2 library calls 87235->87567 87238 604618d0 87568 60475700 15 API calls 2 library calls 87238->87568 87239 60461876 87239->87244 87565 60475700 15 API calls 2 library calls 87239->87565 87242 604618e2 87242->87244 87569 60475700 15 API calls 2 library calls 87242->87569 87566 60475120 14 API calls __DllMainCRTStartup@12 87244->87566 87247 60462e7b _unexpected __DllMainCRTStartup@12 87245->87247 87246 60462f3d 87249 604cdc48 CatchGuardHandler 5 API calls 87246->87249 87247->87246 87248 60462e96 VerSetConditionMask VerSetConditionMask VerSetConditionMask VerifyVersionInfoW 87247->87248 87248->87246 87250 60462ef6 87248->87250 87251 60462f49 87249->87251 87576 60462f80 511 API calls 2 library calls 87250->87576 87251->87154 87253 60462efb 87254 60462eff 87253->87254 87255 60462f09 87253->87255 87577 60463030 517 API calls 2 library calls 87254->87577 87578 60463250 532 API calls 3 library calls 87255->87578 87258 60462f0e 87262 60462f1b __DllMainCRTStartup@12 87258->87262 87579 60463030 517 API calls 2 library calls 87258->87579 87261 60462f2d 87263 60462f56 87261->87263 87264 60462f31 87261->87264 87262->87246 87580 60462400 CreateMutexW 87262->87580 87583 60461e10 31 API calls 2 library calls 87263->87583 87581 60463030 517 API calls 2 library calls 87264->87581 87267 60462f38 87582 604fb1d0 383 API calls __DllMainCRTStartup@12 87267->87582 87268 60462f5b 87270 60462f6d 87268->87270 87584 60463030 517 API calls 2 library calls 87268->87584 87270->87246 87272 60462f66 87585 604fad90 384 API calls __DllMainCRTStartup@12 87272->87585 87275 60474089 87274->87275 87279 604740b0 __DllMainCRTStartup@12 87274->87279 87276 604ccec7 __DllMainCRTStartup@12 372 API calls 87275->87276 87277 60474098 87276->87277 87278 604ccec7 __DllMainCRTStartup@12 372 API calls 87277->87278 87278->87279 87279->87167 87280->87169 87281->87175 87283 604ccec7 __DllMainCRTStartup@12 372 API calls 87282->87283 87284 60477360 __DllMainCRTStartup@12 87283->87284 87298 60477880 87284->87298 87288 60477390 87296 6047741a __DllMainCRTStartup@12 87288->87296 87316 60477690 87288->87316 87294 604cdc48 CatchGuardHandler 5 API calls 87295 604775ae 87294->87295 87295->87185 87296->87294 87297 604775e7 87296->87297 87300 60477894 87298->87300 87301 604778eb 87300->87301 87305 60477378 87300->87305 87349 604e2ed7 470 API calls 3 library calls 87300->87349 87301->87305 87350 604e2ed7 470 API calls 3 library calls 87301->87350 87303 6047795e 87303->87305 87351 60469a70 87303->87351 87306 604e2d5a 87305->87306 87307 604e2d68 87306->87307 87308 604e2d8b 87306->87308 87307->87308 87310 604e2d6e 87307->87310 87362 604e2da3 470 API calls 3 library calls 87308->87362 87360 604de56c 405 API calls __dosmaperr 87310->87360 87311 604e2d9e 87311->87288 87313 604e2d73 87361 604eb592 469 API calls ___std_exception_copy 87313->87361 87315 604e2d7e 87315->87288 87363 604d0f90 87316->87363 87319 60477723 GetEnvironmentVariableW 87320 60477787 GetEnvironmentVariableW 87319->87320 87322 6047774e 87319->87322 87324 604777b2 87320->87324 87331 604777e0 __DllMainCRTStartup@12 87320->87331 87321 604776ea 87321->87319 87365 604e2ed7 470 API calls 3 library calls 87321->87365 87322->87320 87366 604e2ed7 470 API calls 3 library calls 87322->87366 87323 604cdc48 CatchGuardHandler 5 API calls 87326 604773b7 87323->87326 87324->87331 87367 604e2ed7 470 API calls 3 library calls 87324->87367 87332 604808e0 87326->87332 87329 60477718 __DllMainCRTStartup@12 87329->87319 87329->87331 87330 6047777c __DllMainCRTStartup@12 87330->87320 87330->87331 87331->87323 87333 604fabb0 __DllMainCRTStartup@12 372 API calls 87332->87333 87334 60480905 __DllMainCRTStartup@12 87333->87334 87335 60473820 __DllMainCRTStartup@12 489 API calls 87334->87335 87336 6048091c 87335->87336 87337 604cdc48 CatchGuardHandler 5 API calls 87336->87337 87338 604773e1 87337->87338 87339 60475610 87338->87339 87368 60474fa0 87339->87368 87342 6047564a 87344 604cdc48 CatchGuardHandler 5 API calls 87342->87344 87346 60475656 87344->87346 87346->87296 87347 60475683 NtClose 87347->87342 87349->87300 87350->87303 87352 60469a81 87351->87352 87354 604ccec7 __DllMainCRTStartup@12 372 API calls 87352->87354 87355 60469aa1 __DllMainCRTStartup@12 87352->87355 87353 60469b29 QueryPerformanceFrequency QueryPerformanceCounter 87356 60469b9e 87353->87356 87354->87355 87355->87353 87357 60469ac5 CatchIt 87355->87357 87358 604cdc48 CatchGuardHandler 5 API calls 87356->87358 87357->87305 87359 60469bd1 87358->87359 87359->87305 87360->87313 87361->87315 87362->87311 87364 604776bf GetEnvironmentVariableW 87363->87364 87364->87319 87364->87321 87365->87329 87366->87330 87367->87331 87369 60474fba __DllMainCRTStartup@12 87368->87369 87370 60474970 __DllMainCRTStartup@12 13 API calls 87369->87370 87374 60474fde __DllMainCRTStartup@12 87369->87374 87379 60475070 87369->87379 87370->87374 87372 604cdc48 CatchGuardHandler 5 API calls 87373 604750ff 87372->87373 87373->87342 87380 60475550 87373->87380 87377 60475047 87374->87377 87374->87379 87402 60474d30 87374->87402 87376 60475056 87378 604750a6 RtlInitUnicodeString NtOpenKeyEx 87376->87378 87410 60474f00 87377->87410 87378->87379 87379->87372 87425 60475140 87380->87425 87384 604cdc48 CatchGuardHandler 5 API calls 87386 6047559d 87384->87386 87385 6047558c __DllMainCRTStartup@12 87385->87384 87386->87347 87387 60474970 RtlFormatCurrentUserKeyPath 87386->87387 87388 60474abd 87387->87388 87391 604749a2 __DllMainCRTStartup@12 87387->87391 87389 604cdc48 CatchGuardHandler 5 API calls 87388->87389 87390 60474acc 87389->87390 87390->87347 87392 604749d9 RtlFreeUnicodeString 87391->87392 87393 604d0f90 _unexpected 87392->87393 87394 604749f5 GetCommandLineW GetEnvironmentVariableW 87393->87394 87395 60474a2f GetEnvironmentVariableW 87394->87395 87396 60474a1c ___vcrt_FlsSetValue 87394->87396 87397 60474a4b 87395->87397 87398 60474a53 ___vcrt_FlsSetValue 87395->87398 87396->87395 87396->87398 87397->87398 87399 60474a5c GetModuleHandleW GetProcAddress 87398->87399 87400 60474a86 GetCurrentProcess 87399->87400 87401 60474a98 87399->87401 87400->87401 87401->87388 87403 60474d52 87402->87403 87405 60474d8a GetNativeSystemInfo 87403->87405 87409 60474e0b __DllMainCRTStartup@12 87403->87409 87404 604cdc48 CatchGuardHandler 5 API calls 87406 60474e1f 87404->87406 87407 60474dab 87405->87407 87405->87409 87406->87377 87407->87409 87424 604e2ed7 470 API calls 3 library calls 87407->87424 87409->87404 87411 60474f0c 87410->87411 87414 60474f16 87410->87414 87412 60474f43 87411->87412 87411->87414 87416 604fabb0 __DllMainCRTStartup@12 372 API calls 87412->87416 87413 60474f25 87415 604fabb0 __DllMainCRTStartup@12 372 API calls 87413->87415 87414->87413 87417 60474f81 87414->87417 87418 60474f3d 87415->87418 87420 60474f5a __DllMainCRTStartup@12 87416->87420 87419 604fabb0 __DllMainCRTStartup@12 372 API calls 87417->87419 87418->87376 87419->87420 87421 60473820 __DllMainCRTStartup@12 489 API calls 87420->87421 87422 60474f71 87421->87422 87423 60473820 __DllMainCRTStartup@12 489 API calls 87422->87423 87423->87418 87424->87407 87426 60475160 RtlInitUnicodeString 87425->87426 87427 6047547f 87425->87427 87428 604ccec7 __DllMainCRTStartup@12 372 API calls 87426->87428 87429 60474970 __DllMainCRTStartup@12 13 API calls 87427->87429 87433 60475182 87428->87433 87430 60475484 87429->87430 87430->87426 87441 60475328 __DllMainCRTStartup@12 87430->87441 87431 604cdc48 CatchGuardHandler 5 API calls 87432 6047533b 87431->87432 87432->87385 87454 605117d0 372 API calls 2 library calls 87432->87454 87433->87441 87455 604a69c0 87433->87455 87435 604752dc NtQueryValueKey 87436 60475349 87435->87436 87437 604752f9 87435->87437 87439 604a69c0 __DllMainCRTStartup@12 372 API calls 87436->87439 87437->87436 87438 60475300 87437->87438 87438->87441 87459 60469ce0 372 API calls 2 library calls 87438->87459 87440 60475356 NtQueryValueKey 87439->87440 87442 60475370 87440->87442 87441->87431 87442->87438 87444 604a69c0 __DllMainCRTStartup@12 372 API calls 87442->87444 87445 604753c7 NtQueryValueKey 87444->87445 87446 604753e1 87445->87446 87446->87438 87447 604a69c0 __DllMainCRTStartup@12 372 API calls 87446->87447 87448 604753f9 NtQueryValueKey 87447->87448 87449 60475413 87448->87449 87449->87438 87450 604a69c0 __DllMainCRTStartup@12 372 API calls 87449->87450 87451 6047542b NtQueryValueKey 87450->87451 87451->87441 87452 6047544d 87451->87452 87452->87438 87453 60475458 87452->87453 87453->87441 87454->87385 87458 604a69dd __DllMainCRTStartup@12 87455->87458 87456 604ccec7 __DllMainCRTStartup@12 372 API calls 87456->87458 87457 604a6a17 __DllMainCRTStartup@12 87457->87435 87458->87456 87458->87457 87459->87441 87474 60476340 87460->87474 87464 60475e01 87465 60473820 __DllMainCRTStartup@12 489 API calls 87464->87465 87469 60475e12 __DllMainCRTStartup@12 87465->87469 87466 604cdc48 CatchGuardHandler 5 API calls 87467 60475f47 87466->87467 87467->87194 87468 60475f67 __DllMainCRTStartup@12 87469->87466 87469->87468 87473 60475fbd __DllMainCRTStartup@12 87470->87473 87471 604cdc48 CatchGuardHandler 5 API calls 87472 60476031 87471->87472 87472->87197 87473->87471 87475 6047636b __DllMainCRTStartup@12 87474->87475 87476 604763e7 87475->87476 87477 604763cb 87475->87477 87491 60476990 87476->87491 87479 60469a70 __DllMainCRTStartup@12 374 API calls 87477->87479 87485 6047660a __DllMainCRTStartup@12 87477->87485 87483 604763dc CatchIt __DllMainCRTStartup@12 87479->87483 87480 6047642b 87481 604cdc48 CatchGuardHandler 5 API calls 87480->87481 87482 60475def 87481->87482 87487 60476660 87482->87487 87483->87480 87483->87485 87486 604ccec7 __DllMainCRTStartup@12 372 API calls 87483->87486 87497 604ac860 372 API calls 2 library calls 87483->87497 87486->87483 87488 60476675 __DllMainCRTStartup@12 87487->87488 87489 604ccec7 __DllMainCRTStartup@12 372 API calls 87488->87489 87490 604766c3 CatchIt __DllMainCRTStartup@12 87488->87490 87489->87490 87490->87464 87492 604769b9 87491->87492 87493 60476a39 __DllMainCRTStartup@12 87491->87493 87492->87493 87494 60476a01 87492->87494 87495 604ccec7 __DllMainCRTStartup@12 372 API calls 87492->87495 87493->87483 87494->87493 87496 60469a70 __DllMainCRTStartup@12 374 API calls 87494->87496 87495->87494 87496->87493 87497->87483 87499 604fabb0 __DllMainCRTStartup@12 372 API calls 87498->87499 87500 60475cee __DllMainCRTStartup@12 87499->87500 87504 60475c40 87500->87504 87502 60475d01 87502->87201 87503->87211 87505 60475c6d __DllMainCRTStartup@12 87504->87505 87506 60475c56 __DllMainCRTStartup@12 87504->87506 87507 60473820 __DllMainCRTStartup@12 489 API calls 87505->87507 87510 60473820 __DllMainCRTStartup@12 489 API calls 87506->87510 87508 60475c88 87507->87508 87509 60475ca8 87508->87509 87511 60475c96 __DllMainCRTStartup@12 87508->87511 87513 60475cb1 __DllMainCRTStartup@12 87508->87513 87509->87502 87510->87505 87512 60473820 __DllMainCRTStartup@12 489 API calls 87511->87512 87512->87509 87514 604fabb0 __DllMainCRTStartup@12 372 API calls 87513->87514 87515 60475cee __DllMainCRTStartup@12 87514->87515 87516 60475c40 __DllMainCRTStartup@12 489 API calls 87515->87516 87517 60475d01 87516->87517 87517->87502 87519 604741da __DllMainCRTStartup@12 87518->87519 87520 60474970 __DllMainCRTStartup@12 13 API calls 87519->87520 87524 604741ff __DllMainCRTStartup@12 87519->87524 87549 60474207 87519->87549 87520->87524 87521 60474f00 __DllMainCRTStartup@12 489 API calls 87530 60474359 87521->87530 87522 604cdc48 CatchGuardHandler 5 API calls 87523 60474216 87522->87523 87523->87225 87527 60474d30 __DllMainCRTStartup@12 471 API calls 87524->87527 87528 6047433a 87524->87528 87524->87549 87525 604743ea 87526 60473820 __DllMainCRTStartup@12 489 API calls 87525->87526 87539 6047440b 87526->87539 87527->87528 87528->87521 87530->87525 87542 604748e8 __DllMainCRTStartup@12 87530->87542 87570 605107e0 489 API calls __DllMainCRTStartup@12 87530->87570 87531 60474943 87532 604744c6 87533 6047451e 87532->87533 87534 6047465d 87532->87534 87545 60474536 __DllMainCRTStartup@12 87532->87545 87533->87542 87573 60475ad0 372 API calls 2 library calls 87533->87573 87574 60511960 372 API calls 2 library calls 87534->87574 87539->87532 87539->87542 87539->87545 87571 604758c0 372 API calls 2 library calls 87539->87571 87572 60511900 5 API calls 2 library calls 87539->87572 87540 604745dd __DllMainCRTStartup@12 87540->87531 87541 60474658 RtlInitUnicodeString NtCreateKey 87540->87541 87540->87549 87544 604746c9 87541->87544 87541->87549 87546 604746e2 NtClose 87544->87546 87547 60474220 87544->87547 87545->87540 87545->87542 87548 60473820 __DllMainCRTStartup@12 489 API calls 87545->87548 87558 60474729 __DllMainCRTStartup@12 87546->87558 87550 6047423d NtClose 87547->87550 87551 6047424b 87547->87551 87548->87545 87549->87522 87549->87542 87550->87547 87553 60474235 NtClose 87551->87553 87554 6047425a 87551->87554 87552 60473820 __DllMainCRTStartup@12 489 API calls 87552->87558 87553->87554 87554->87549 87555 60474941 87554->87555 87555->87542 87556 604fabb0 __DllMainCRTStartup@12 372 API calls 87556->87558 87557 604747c9 RtlInitUnicodeString NtCreateKey 87557->87558 87558->87542 87558->87547 87558->87552 87558->87556 87558->87557 87559 6047486a 87558->87559 87561 60474721 NtClose 87558->87561 87575 604a79b0 372 API calls __DllMainCRTStartup@12 87558->87575 87559->87547 87560 60474872 NtDeleteKey 87559->87560 87560->87559 87561->87558 87563->87229 87564->87239 87565->87244 87566->87233 87567->87238 87568->87242 87569->87244 87570->87525 87571->87539 87572->87539 87573->87545 87574->87541 87575->87558 87576->87253 87577->87255 87578->87258 87579->87262 87580->87261 87581->87267 87582->87246 87583->87268 87584->87272 87585->87267

                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                          Function 6047DC00 Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 898COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6047DD72
                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 6047DEB9
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 6047E9D4
                                                                                                                                                                                                                          • larg, xrefs: 6047E4B5
                                                                                                                                                                                                                          • S, xrefs: 6047EDAC
                                                                                                                                                                                                                          • CEF_CRASH_REPORTER_SERVER_URL, xrefs: 6047DC7D
                                                                                                                                                                                                                          • __s should never be greater than or equal to the short string capacity, xrefs: 6047EA77
                                                                                                                                                                                                                          • [Con, xrefs: 6047DFA1
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 6047EA8B
                                                                                                                                                                                                                          • char_traits::copy overlapped range, xrefs: 6047E9C5
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6047EAAF
                                                                                                                                                                                                                          • crash_reporter.cfg, xrefs: 6047EA52
                                                                                                                                                                                                                          • ,, xrefs: 6047E731
                                                                                                                                                                                                                          • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 6047E9CA
                                                                                                                                                                                                                          • CEF_CRASH_REPORTER_RATE_LIMIT_ENABLED, xrefs: 6047DCA5
                                                                                                                                                                                                                          • smal, xrefs: 6047E49D
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string, xrefs: 6047EA86
                                                                                                                                                                                                                          • medi, xrefs: 6047E4EA
                                                                                                                                                                                                                          • __s < __min_cap, xrefs: 6047EA7C
                                                                                                                                                                                                                          • __len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6047EAA5
                                                                                                                                                                                                                          • [CrashKeys], xrefs: 6047E00E
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6047EAB6
                                                                                                                                                                                                                          • __len == 0 || __s != nullptr, xrefs: 6047EABB
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6047EAA0
                                                                                                                                                                                                                          • fig], xrefs: 6047DFAB
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileModuleName_strlen
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$,$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$CEF_CRASH_REPORTER_RATE_LIMIT_ENABLED$CEF_CRASH_REPORTER_SERVER_URL$S$[Con$[CrashKeys]$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range$crash_reporter.cfg$fig]$larg$medi$smal$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
                                                                                                                                                                                                                          • API String ID: 2404361900-60179841
                                                                                                                                                                                                                          • Opcode ID: 08df77c958f7f95b143f96817199e936ae02818c0219ec50d3c265a4907632d8
                                                                                                                                                                                                                          • Instruction ID: 1aa1fcdee2580bb43a7c569bcfbd4f4ec5c4a6792e593a09f2379888005b03b8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08df77c958f7f95b143f96817199e936ae02818c0219ec50d3c265a4907632d8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E7293F1D042288ADB35CA25CC90FD9BBB5AF65308F0481EDE64DA7241EB385E85CF95
                                                                                                                                                                                                                          Function 604A3C00 Relevance: 43.7, APIs: 20, Strings: 4, Instructions: 1659COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604A3DFE
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 604A3EA0
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,00000001,00000000,00004000,00000000), ref: 604A3F38
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$Release$Acquire
                                                                                                                                                                                                                          • String ID: @)W`$@)W`$@)W`$first
                                                                                                                                                                                                                          • API String ID: 1021914862-1760890915
                                                                                                                                                                                                                          • Opcode ID: c7571c627faf58cc6238ad8c5102f76b07ef59a7211ad1e30493019641bcb617
                                                                                                                                                                                                                          • Instruction ID: 8cf069472f875148d67e4e3611d47b3ba841301cbec9ecd4ea8891bb02fc3d60
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7571c627faf58cc6238ad8c5102f76b07ef59a7211ad1e30493019641bcb617
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AD20371A043018FD728CF28C880B6ABBE2BFE5358F15856CE9559B399DB38DD45CB81
                                                                                                                                                                                                                          Function 60475140 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 260nativeCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 991 60475140-6047515a 992 60475160-60475192 RtlInitUnicodeString call 604ccec7 991->992 993 6047547f-60475486 call 60474970 991->993 998 6047546e-6047547a 992->998 999 60475198-6047519e 992->999 993->992 1000 6047548c-6047548e 993->1000 1002 60475395-6047539f call 604fce60 998->1002 999->998 1001 604751a4-604751ab 999->1001 1003 60475331-60475344 call 604cdc48 1000->1003 1001->998 1005 604751b1-604751b8 1001->1005 1007 604753a4-604753b0 1002->1007 1005->998 1008 604751be-604751c5 1005->1008 1010 604753b2-604753b5 1007->1010 1011 60475389-60475393 1007->1011 1008->998 1012 604751cb-604751d2 1008->1012 1013 60475328 1010->1013 1011->1002 1012->998 1014 604751d8-604751df 1012->1014 1015 6047532a-6047532f 1013->1015 1014->998 1016 604751e5-604751ec 1014->1016 1015->1003 1018 60475379-60475383 1015->1018 1016->998 1017 604751f2-604751f9 1016->1017 1017->998 1019 604751ff-60475206 1017->1019 1018->1011 1020 6047545d-60475466 call 604ccef7 1018->1020 1019->998 1021 6047520c-60475213 1019->1021 1020->998 1021->998 1023 60475219-60475220 1021->1023 1023->998 1025 60475226-6047522d 1023->1025 1025->998 1026 60475233-6047523a 1025->1026 1026->998 1027 60475240-60475247 1026->1027 1027->998 1028 6047524d-60475254 1027->1028 1028->998 1029 6047525a-60475261 1028->1029 1029->998 1030 60475267-6047526e 1029->1030 1030->998 1031 60475274-6047527b 1030->1031 1031->998 1032 60475281-60475288 1031->1032 1032->998 1033 6047528e-60475295 1032->1033 1033->998 1034 6047529b-604752a2 1033->1034 1034->998 1035 604752a8-604752af 1034->1035 1035->998 1036 604752b5-604752bc 1035->1036 1036->998 1037 604752c2-604752f7 call 604a69c0 NtQueryValueKey 1036->1037 1040 60475349-6047536e call 604a69c0 NtQueryValueKey 1037->1040 1041 604752f9-604752fe 1037->1041 1047 60475370-60475375 1040->1047 1048 604753ba-604753df call 604a69c0 NtQueryValueKey 1040->1048 1041->1040 1042 60475300-60475302 1041->1042 1045 60475345-60475347 1042->1045 1046 60475304-60475314 1042->1046 1045->1015 1046->1007 1049 6047531a-60475323 call 60469ce0 1046->1049 1047->1042 1050 60475377 1047->1050 1054 604753e1-604753e6 1048->1054 1055 604753ec-60475411 call 604a69c0 NtQueryValueKey 1048->1055 1049->1013 1050->1048 1054->1042 1054->1055 1058 60475413-60475418 1055->1058 1059 6047541e-60475447 call 604a69c0 NtQueryValueKey 1055->1059 1058->1042 1058->1059 1059->1015 1062 6047544d-60475452 1059->1062 1062->1042 1063 60475458 1062->1063 1063->1015
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • __location != nullptr, xrefs: 60475473
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 60475395
                                                                                                                                                                                                                          • \BLBeacon, xrefs: 60475144
                                                                                                                                                                                                                          • null pointer given to destroy_at, xrefs: 60475389
                                                                                                                                                                                                                          • __loc != nullptr, xrefs: 6047538E
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 6047539A
                                                                                                                                                                                                                          • null pointer given to construct_at, xrefs: 6047546E
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: QueryValue$InitStringUnicode
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$\BLBeacon$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at
                                                                                                                                                                                                                          • API String ID: 859960800-1453909569
                                                                                                                                                                                                                          • Opcode ID: e3c5b08250aa5921f86f6a63446cb11eeaf993404e85d5d815ec7f4b2372b2d0
                                                                                                                                                                                                                          • Instruction ID: add650a078e450785130f33fb2af6cae0af33d9727202be923b5b631ce75ea5d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3c5b08250aa5921f86f6a63446cb11eeaf993404e85d5d815ec7f4b2372b2d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC9184609042409EDB308B788884FEF7FE49F66724F158659E8359F3E5C3F99885C752
                                                                                                                                                                                                                          Function 604A0D00 Relevance: 18.4, APIs: 7, Strings: 3, Instructions: 919COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(-000000C0), ref: 604A15CB
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLockRelease
                                                                                                                                                                                                                          • String ID: first$size$span
                                                                                                                                                                                                                          • API String ID: 1766480654-3452983260
                                                                                                                                                                                                                          • Opcode ID: 62705c0f27c0952881aee2f16f7c4d78e7204c7f196ca12b4ed8a54931d5b28d
                                                                                                                                                                                                                          • Instruction ID: ee047f4419870b5c0ae9cca15034ee9c03b94ab8f5c212a351fb1a97e15f4c38
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62705c0f27c0952881aee2f16f7c4d78e7204c7f196ca12b4ed8a54931d5b28d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3382D175A043019FD724CF28C480B9AB7E2FFA8314F19856DE9999B359D738ED42CB81
                                                                                                                                                                                                                          Function 00B64E20 Relevance: 13.2, Strings: 10, Instructions: 739COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1491 b64e20-b64e46 1492 b64eac-b64ebd 1491->1492 1493 b64e48-b64e50 1491->1493 1499 b64ec7-b64ef9 1492->1499 1495 b64e53-b64e54 1493->1495 1496 b64e56-b64e5a 1495->1496 1497 b64e5b-b64e5d 1495->1497 1496->1497 1503 b64de9 1496->1503 1501 b64e5e-b64e7b 1497->1501 1502 b64dea-b64e09 1497->1502 1510 b64ebe-b64ebf 1499->1510 1511 b64efb-b64f1c 1499->1511 1512 b64e80-b64e8f 1501->1512 1503->1502 1510->1512 1513 b64ec1-b64ec6 1510->1513 1514 b64f1e-b64f38 1511->1514 1515 b64f3d-b64f40 1511->1515 1518 b64e91 1512->1518 1519 b64e99 1512->1519 1513->1495 1513->1499 1514->1515 1518->1519 1519->1492
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: (bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq$(bq
                                                                                                                                                                                                                          • API String ID: 0-668029649
                                                                                                                                                                                                                          • Opcode ID: 4b649872165b24deffa31e3a7bc4f5d37016844b9a24e6acfc20ace586e25dff
                                                                                                                                                                                                                          • Instruction ID: 9c707735cdba4be9348e8b3445d0977d511e8db5d64d8d075b64b144e4b2f6cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4b649872165b24deffa31e3a7bc4f5d37016844b9a24e6acfc20ace586e25dff
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9A52E231B046548FCB15DF68D8546AEBBF2EF89310F2580A9D506EB3A1DF389D06CB91
                                                                                                                                                                                                                          Function 604A36F0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 363COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1522 604a36f0-604a3711 1523 604a3b59-604a3b5e call 604fd620 1522->1523 1524 604a3717-604a3724 1522->1524 1527 604a3b63-604a3b64 1523->1527 1526 604a372a-604a373e 1524->1526 1524->1527 1530 604a3740-604a3743 1526->1530 1531 604a3746-604a3775 1526->1531 1529 604a3b66-604a3b6b call 604cd1d4 1527->1529 1546 604a3b74-604a3b9a call 604fcfe0 call 60460600 call 604fd060 1529->1546 1530->1531 1533 604a378d-604a379a 1531->1533 1534 604a3777-604a378b 1531->1534 1535 604a38be-604a38da TryAcquireSRWLockExclusive 1533->1535 1536 604a37a0-604a37b6 1533->1536 1534->1533 1539 604a3b3b-604a3b44 call 604a2760 1535->1539 1540 604a38e0-604a38e6 1535->1540 1536->1529 1538 604a37bc-604a37d4 1536->1538 1541 604a37da-604a37dd 1538->1541 1542 604a3b49-604a3b52 call 604675a0 1538->1542 1539->1542 1543 604a3aea-604a3afd call 604a0d00 1540->1543 1544 604a38ec-604a38fb 1540->1544 1541->1535 1548 604a37e3-604a37f5 1541->1548 1542->1523 1557 604a3b02-604a3b04 1543->1557 1550 604a3ad3-604a3ad5 1544->1550 1551 604a3901-604a3916 1544->1551 1586 604a3b9f-604a3bb5 1546->1586 1555 604a37fb-604a3801 1548->1555 1556 604a3980-604a398c 1548->1556 1561 604a3adc-604a3ae5 call 604a2760 1550->1561 1558 604a391c-604a3924 1551->1558 1559 604a3bb7-604a3bc7 1551->1559 1563 604a3803-604a3807 1555->1563 1564 604a3877-604a3899 call 604a2c10 1555->1564 1568 604a3990-604a39ad TryAcquireSRWLockExclusive 1556->1568 1565 604a3b0a-604a3b34 1557->1565 1566 604a3be2-604a3bec ReleaseSRWLockExclusive 1557->1566 1558->1559 1567 604a392a-604a3979 ReleaseSRWLockExclusive 1558->1567 1562 604a3bc9-604a3bdd call 604fcfe0 call 60460600 call 604fd060 1559->1562 1561->1543 1562->1566 1575 604a380b-604a3814 1563->1575 1564->1575 1588 604a389f 1564->1588 1565->1539 1567->1556 1568->1561 1570 604a39b3-604a39c1 1568->1570 1576 604a3a68-604a3a80 call 604a0d00 1570->1576 1577 604a39c7-604a39e4 1570->1577 1582 604a3873-604a3875 1575->1582 1583 604a3816-604a381d 1575->1583 1576->1566 1603 604a3a86-604a3ab8 1576->1603 1584 604a39e6-604a39f2 1577->1584 1585 604a3a64-604a3a66 1577->1585 1587 604a3826-604a384b 1582->1587 1583->1546 1590 604a3823 1583->1590 1584->1586 1592 604a39f8-604a3a00 1584->1592 1594 604a3a09-604a3a26 1585->1594 1586->1562 1595 604a385e-604a3872 call 604cdc48 1587->1595 1596 604a384d-604a3853 1587->1596 1588->1568 1590->1587 1592->1586 1598 604a3a06 1592->1598 1599 604a3a2a-604a3a5b ReleaseSRWLockExclusive 1594->1599 1601 604a38a4-604a38bc 1596->1601 1602 604a3855 1596->1602 1598->1594 1599->1585 1606 604a3858 1601->1606 1602->1606 1607 604a3aba-604a3abd 1603->1607 1608 604a3ace-604a3ad1 1603->1608 1606->1595 1609 604a3ac0-604a3ac9 1607->1609 1608->1609 1609->1599
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 604A2C10: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604A2C53
                                                                                                                                                                                                                            • Part of subcall function 604A2C10: ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 604A2D4A
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604A38D2
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 604A3971
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604A39A5
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 604A3A51
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 604A3BE6
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$Release$Acquire
                                                                                                                                                                                                                          • String ID: @)W`$first
                                                                                                                                                                                                                          • API String ID: 1021914862-1331278718
                                                                                                                                                                                                                          • Opcode ID: e5f14dc56c941800c4162857cb9b631effe4e28c908da06553a9013abef659ad
                                                                                                                                                                                                                          • Instruction ID: 64b1f29d29ecf82d9c86020e0f59596f11db1fd9cc1de9b8b3236309d8ef208a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5f14dc56c941800c4162857cb9b631effe4e28c908da06553a9013abef659ad
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DBE1F3716043018FD718CF28C884B66BBE2FFA5318F19856CF9458B39AE779E945CB81
                                                                                                                                                                                                                          Function 60474FA0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 126nativeCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1714 60474fa0-60474fb8 1715 60474fd1-60474fd8 1714->1715 1716 60474fba-60474fcb call 604e703c 1714->1716 1718 60475063 call 60474970 1715->1718 1719 60474fde-6047501e 1715->1719 1716->1715 1725 6047510d-6047510f 1716->1725 1726 60475068-6047506a 1718->1726 1722 60475020-60475042 call 604e6f14 call 60473730 call 60474af0 call 60474d30 1719->1722 1723 6047504a-6047505c call 60474f00 1719->1723 1747 60475047 1722->1747 1732 60475075-60475078 1723->1732 1733 6047505e-60475061 1723->1733 1731 604750f5-60475108 call 604cdc48 1725->1731 1726->1719 1729 60475070 1726->1729 1729->1725 1736 6047507b-6047508d call 60473550 1732->1736 1733->1736 1743 6047508f-60475097 call 604ccef7 1736->1743 1744 6047509a-604750a1 1736->1744 1743->1744 1748 604750a6-604750dd RtlInitUnicodeString NtOpenKeyEx 1744->1748 1749 604750a3 1744->1749 1747->1723 1751 604750df-604750e8 1748->1751 1752 60475109-6047510b 1748->1752 1749->1748 1751->1731 1753 604750ea-604750f2 call 604ccef7 1751->1753 1752->1751 1753->1731
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlInitUnicodeString.NTDLL(CVG`,?), ref: 604750AB
                                                                                                                                                                                                                          • NtOpenKeyEx.NTDLL(?,?,?,00000000), ref: 604750D6
                                                                                                                                                                                                                            • Part of subcall function 60474970: RtlFormatCurrentUserKeyPath.NTDLL(?), ref: 60474995
                                                                                                                                                                                                                            • Part of subcall function 60474970: RtlFreeUnicodeString.NTDLL(?), ref: 604749DD
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetCommandLineW.KERNEL32(?,?,?), ref: 604749F8
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetEnvironmentVariableW.KERNEL32(PROGRAMFILES,?,00000104,?,?,?), ref: 60474A0B
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetEnvironmentVariableW.KERNEL32(PROGRAMFILES(X86),?,00000104,?,?,?), ref: 60474A3A
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 60474A70
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 60474A7C
                                                                                                                                                                                                                            • Part of subcall function 60474970: GetCurrentProcess.KERNEL32(?,?,?), ref: 60474A88
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentEnvironmentStringUnicodeVariable$AddressCommandFormatFreeHandleInitLineModuleOpenPathProcProcessUser
                                                                                                                                                                                                                          • String ID: CVG`$CVG`
                                                                                                                                                                                                                          • API String ID: 3669629139-1012662543
                                                                                                                                                                                                                          • Opcode ID: 08f6ad4a27d4e12b3e9602cc7230fe901fde7604a1d6fc6ad0d0284a904bec88
                                                                                                                                                                                                                          • Instruction ID: 9b3efae898c6018cdae522271f9013f94e31c1249f38a2b54384d5769657b352
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08f6ad4a27d4e12b3e9602cc7230fe901fde7604a1d6fc6ad0d0284a904bec88
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7241A0B1D04259AFDB31CF64D841FEE7BB5AFA5308F148029F805AB250EB789945CBD1
                                                                                                                                                                                                                          Function 60475610 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 60474FA0: RtlInitUnicodeString.NTDLL(CVG`,?), ref: 604750AB
                                                                                                                                                                                                                            • Part of subcall function 60474FA0: NtOpenKeyEx.NTDLL(?,?,?,00000000), ref: 604750D6
                                                                                                                                                                                                                          • NtClose.NTDLL ref: 60475684
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseInitOpenStringUnicode
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2903745284-0
                                                                                                                                                                                                                          • Opcode ID: 6b6b6d3d79339e933f64d7fd0058abc164619d8b691a6162dbad03a0af383b94
                                                                                                                                                                                                                          • Instruction ID: 4149fbd7e92178c0287f0d2a2257005c6bdf2c8fc0540f175ff0059918a03009
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6b6b6d3d79339e933f64d7fd0058abc164619d8b691a6162dbad03a0af383b94
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 130184B1D001186FDF209FA4AC41EEEBB69EF65228F418118FC183B281D7B96D15C7E1
                                                                                                                                                                                                                          Function 60466800 Relevance: 122.0, APIs: 97, Instructions: 740sleepmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01,00000000,?,00000000,?,?,60466E01,00000000,?,?), ref: 6046682C
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466E01,00000000,?,?), ref: 60466856
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466897
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 604668B1
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 604668BF
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604668C9
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 604668E7
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 604668F5
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466903
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466921
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 6046692F
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 6046693D
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 6046695B
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 60466969
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466977
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466995
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 604669A3
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604669B1
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 604669CF
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 604669DD
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604669EB
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466A09
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 60466A17
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466A25
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466A43
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 60466A51
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466A5F
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466A7D
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000000,00003000,60466E01), ref: 60466A8B
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 60466A99
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032), ref: 60466AB7
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast$AllocSleepVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4039713267-0
                                                                                                                                                                                                                          • Opcode ID: d35988517d78a7db6fdcde9ccbf9068cb1002c5896cdbf35d67baa424aad9026
                                                                                                                                                                                                                          • Instruction ID: 28deaeba9750c40b2aef9d57a23fffab0f547df8f8f3953a710616ed1b6aa148
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d35988517d78a7db6fdcde9ccbf9068cb1002c5896cdbf35d67baa424aad9026
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC42A131A14106AFDF226FA4CC4DF9E7F76EF27355F114028E505AA260EB348A84CF52
                                                                                                                                                                                                                          Function 604A07F0 Relevance: 37.7, APIs: 30, Instructions: 182memorysleepCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 910 604a07f0-604a0802 911 604a0832-604a0835 910->911 912 604a0804 910->912 913 604a083b 911->913 914 604a08de-604a08df 911->914 915 604a0809-604a0822 VirtualAlloc 912->915 913->914 913->915 916 604a0849-604a084b 913->916 917 604a08e1-604a08f0 GetLastError 914->917 918 604a0828-604a0831 915->918 919 604a0824-604a0826 915->919 916->918 920 604a08fd-604a0917 Sleep VirtualAlloc 917->920 921 604a08f2-604a08f7 917->921 919->918 922 604a084d-604a085c GetLastError 919->922 920->918 923 604a091d-604a092c GetLastError 920->923 921->916 921->920 924 604a085e-604a0863 922->924 925 604a0865-604a087f Sleep VirtualAlloc 922->925 926 604a0939-604a0953 Sleep VirtualAlloc 923->926 927 604a092e-604a0933 923->927 924->916 924->925 925->918 928 604a0881-604a08cf GetLastError 925->928 926->918 929 604a0959-604a0968 GetLastError 926->929 927->916 927->926 933 604a089e-604a08b8 Sleep VirtualAlloc 928->933 934 604a08d1-604a08d6 928->934 931 604a096a-604a096f 929->931 932 604a0975-604a098f Sleep VirtualAlloc 929->932 931->916 931->932 932->918 935 604a0995-604a09a4 GetLastError 932->935 933->918 936 604a08be 933->936 934->916 937 604a08dc 934->937 938 604a09b1-604a09cb Sleep VirtualAlloc 935->938 939 604a09a6-604a09ab 935->939 936->917 937->933 938->918 940 604a09d1-604a09e0 GetLastError 938->940 939->916 939->938 941 604a09ed-604a0a07 Sleep VirtualAlloc 940->941 942 604a09e2-604a09e7 940->942 941->918 943 604a0a0d-604a0a1c GetLastError 941->943 942->916 942->941 944 604a0a29-604a0a43 Sleep VirtualAlloc 943->944 945 604a0a1e-604a0a23 943->945 944->918 946 604a0a49-604a0a58 GetLastError 944->946 945->916 945->944 947 604a0a5a-604a0a5f 946->947 948 604a0a65-604a0a7f Sleep VirtualAlloc 946->948 947->916 947->948 948->918 949 604a0a85-604a0a94 GetLastError 948->949 950 604a0aa1-604a0aa9 Sleep 949->950 951 604a0a96-604a0a9b 949->951 951->916 951->950
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A081A
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A084D
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0867
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0877
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A08A0
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A08B0
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A08C0
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A08E1
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A08FF
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A090F
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A091D
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A093B
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A094B
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0959
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0977
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0987
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A0995
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A09B3
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A09C3
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A09D1
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocErrorLastVirtual$Sleep
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1485398201-0
                                                                                                                                                                                                                          • Opcode ID: 27d4cc50ace4eab1d8744c5cad21e77f2fb4797dcee7308b41c30f1d564d0157
                                                                                                                                                                                                                          • Instruction ID: fa9cc3e9224be9f6af5688e9593cab61c467115a850c3f472961a89971698889
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 27d4cc50ace4eab1d8744c5cad21e77f2fb4797dcee7308b41c30f1d564d0157
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B515B30645201AFDF322B65CC4DF9E3E39EF77795F214028F14AA91A5D7688A80CA96
                                                                                                                                                                                                                          Function 60466590 Relevance: 37.7, APIs: 30, Instructions: 176sleepmemoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 952 60466590-604665b3 VirtualAlloc 953 604665c7-604665cb 952->953 954 604665b5-604665bd 952->954 954->953 955 604665bf-604665c1 954->955 955->953 956 604665c3-604665c5 955->956 956->953 957 604665d0-604665df GetLastError 956->957 958 604665e1-604665e6 957->958 959 604665e8-60466600 Sleep VirtualAlloc 957->959 958->959 960 604665cc-604665ce 958->960 959->953 961 60466602-6046662f GetLastError 959->961 960->953 963 60466604-6046661c Sleep VirtualAlloc 961->963 964 60466631-60466636 961->964 963->953 965 6046661e-60466649 GetLastError 963->965 964->960 966 60466638 964->966 968 60466656-6046666e Sleep VirtualAlloc 965->968 969 6046664b-60466650 965->969 966->963 968->953 970 60466674-60466683 GetLastError 968->970 969->960 969->968 971 60466685-6046668a 970->971 972 60466690-604666a8 Sleep VirtualAlloc 970->972 971->960 971->972 972->953 973 604666ae-604666bd GetLastError 972->973 974 604666bf-604666c4 973->974 975 604666ca-604666e2 Sleep VirtualAlloc 973->975 974->960 974->975 975->953 976 604666e8-604666f7 GetLastError 975->976 977 60466704-6046671c Sleep VirtualAlloc 976->977 978 604666f9-604666fe 976->978 977->953 979 60466722-60466731 GetLastError 977->979 978->960 978->977 980 60466733-60466738 979->980 981 6046673e-60466756 Sleep VirtualAlloc 979->981 980->960 980->981 981->953 982 6046675c-6046676b GetLastError 981->982 983 6046676d-60466772 982->983 984 60466778-60466790 Sleep VirtualAlloc 982->984 983->960 983->984 984->953 985 60466796-604667a5 GetLastError 984->985 986 604667a7-604667ac 985->986 987 604667b2-604667ca Sleep VirtualAlloc 985->987 986->960 986->987 987->953 988 604667d0-604667df GetLastError 987->988 989 604667e1-604667e6 988->989 990 604667ec-604667f4 Sleep 988->990 989->960 989->990
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualAlloc.KERNELBASE(00000005,?,?,?,?,00000000,00000000,?,60466B27,?,?,00001000), ref: 604665AA
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 604665D0
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 604665EA
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 604665F8
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 60466606
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 60466614
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 60466620
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 6046663A
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 60466658
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 60466666
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 60466674
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 60466692
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 604666A0
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 604666AE
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 604666CC
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 604666DA
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 604666E8
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 60466706
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 60466714
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 60466722
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 60466740
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 6046674E
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 6046675C
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 6046677A
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 60466788
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 60466796
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 604667B4
                                                                                                                                                                                                                          • VirtualAlloc.KERNEL32(00000005,?,?,?,?,60466B27,?,?,00001000), ref: 604667C2
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60466B27,?,?,00001000), ref: 604667D0
                                                                                                                                                                                                                          • Sleep.KERNEL32(00000032,?,60466B27,?,?,00001000), ref: 604667EE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AllocErrorLastSleepVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2288223010-0
                                                                                                                                                                                                                          • Opcode ID: 7a9f5c0408b194e564381d5d625932736202e893e7f9a24078e5a9189ead5c6c
                                                                                                                                                                                                                          • Instruction ID: 0cec0c2410c37b544bb453467239227ae5b8ee6a87d77ef48572a2a461e71eb1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a9f5c0408b194e564381d5d625932736202e893e7f9a24078e5a9189ead5c6c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25513A70115106BBCF222F61DC4EE9E3FBAEF63759F114028F506A9571E7358A88DE12
                                                                                                                                                                                                                          Function 60474970 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • RtlFormatCurrentUserKeyPath.NTDLL(?), ref: 60474995
                                                                                                                                                                                                                          • RtlFreeUnicodeString.NTDLL(?), ref: 604749DD
                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(?,?,?), ref: 604749F8
                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(PROGRAMFILES,?,00000104,?,?,?), ref: 60474A0B
                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(PROGRAMFILES(X86),?,00000104,?,?,?), ref: 60474A3A
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 60474A70
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 60474A7C
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?), ref: 60474A88
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentEnvironmentVariable$AddressCommandFormatFreeHandleLineModulePathProcProcessStringUnicodeUser
                                                                                                                                                                                                                          • String ID: IsWow64Process$PROGRAMFILES$PROGRAMFILES(X86)$\BLBeacon$kernel32.dll
                                                                                                                                                                                                                          • API String ID: 1360800022-3675488706
                                                                                                                                                                                                                          • Opcode ID: ae9fa2105a050d81df7373345444e2b5e5fb6fd79e5ade9bf65505bdfc279eea
                                                                                                                                                                                                                          • Instruction ID: 10a1a143034728162397efbd2a352ba7db991e3f1f60c70349ff6b3607994283
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae9fa2105a050d81df7373345444e2b5e5fb6fd79e5ade9bf65505bdfc279eea
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3431E9716442146BEB309B755C8DFFF7FACDF72399F000068F805A2241EB789945DAA1
                                                                                                                                                                                                                          Function 60469A70 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 124COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1395 60469a70-60469a7f 1396 60469a85-60469a8b 1395->1396 1397 60469a81-60469a83 1395->1397 1398 60469aee-60469af0 call 604faaa0 1396->1398 1399 60469a8d-60469a90 1396->1399 1397->1396 1400 60469af5-60469b09 1397->1400 1398->1400 1403 60469ae2-60469ae7 1399->1403 1404 60469a92-60469a96 1399->1404 1402 60469b1f-60469b9c call 604fce60 QueryPerformanceFrequency QueryPerformanceCounter 1400->1402 1414 60469ba2-60469bd9 call 604cdc48 1402->1414 1415 60469b9e 1402->1415 1405 60469ab7-60469abc 1403->1405 1407 60469a98-60469a9c call 604ccec7 1404->1407 1408 60469ae9 call 604faac0 1404->1408 1411 60469ac5-60469adf call 604d0a10 1405->1411 1412 60469abe-60469ac3 1405->1412 1416 60469aa1-60469ab4 1407->1416 1408->1398 1412->1411 1418 60469b0b-60469b1a 1412->1418 1415->1414 1416->1405 1418->1402
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000025,__location != nullptr,null pointer given to construct_at), ref: 60469B56
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000025,__location != nullptr,null pointer given to construct_at), ref: 60469B66
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • __n == 0 || __s != nullptr, xrefs: 60469AFA
                                                                                                                                                                                                                          • basic_string(const char*, n) detected nullptr, xrefs: 60469AF5
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 60469B1A
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string, xrefs: 60469B04
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 60469B1F
                                                                                                                                                                                                                          • char_traits::copy overlapped range, xrefs: 60469B0B
                                                                                                                                                                                                                          • __s2 < __s1 || __s2 >= __s1+__n, xrefs: 60469B10
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: PerformanceQuery$CounterFrequency
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$__n == 0 || __s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*, n) detected nullptr$char_traits::copy overlapped range
                                                                                                                                                                                                                          • API String ID: 774501991-1402792131
                                                                                                                                                                                                                          • Opcode ID: 1800a2ae72fe2adb7d06c21e2cc8df3c07e8acce5639aede280c531520e489b9
                                                                                                                                                                                                                          • Instruction ID: 8298b79c58b31f99c3faeff1f16f3a8b73e256d8797e79134b187e35d6d3e3d4
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1800a2ae72fe2adb7d06c21e2cc8df3c07e8acce5639aede280c531520e489b9
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50413470504714AFC721DF65C880C5ABBE8FFA6354F108A2EF889A7210EB759955C792
                                                                                                                                                                                                                          Function 604E092A Relevance: 13.8, APIs: 9, Instructions: 273COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1422 604e092a-604e095a call 604e0dc4 1425 604e095c-604e0967 call 604de57f 1422->1425 1426 604e0975-604e0981 call 604df1b4 1422->1426 1433 604e0969-604e0970 call 604de56c 1425->1433 1431 604e099a-604e09ce call 604e0d2f 1426->1431 1432 604e0983-604e0998 call 604de57f call 604de56c 1426->1432 1439 604e09d3-604e09e3 1431->1439 1432->1433 1440 604e0c4f-604e0c53 1433->1440 1442 604e09e5-604e09ee 1439->1442 1443 604e0a50-604e0a59 GetFileType 1439->1443 1447 604e0a25-604e0a4b GetLastError call 604de592 1442->1447 1448 604e09f0-604e09f4 1442->1448 1444 604e0a5b-604e0a8c GetLastError call 604de592 CloseHandle 1443->1444 1445 604e0aa2-604e0aa5 1443->1445 1444->1433 1461 604e0a92-604e0a9d call 604de56c 1444->1461 1451 604e0aae-604e0ab4 1445->1451 1452 604e0aa7-604e0aac 1445->1452 1447->1433 1448->1447 1453 604e09f6-604e0a23 call 604e0d2f 1448->1453 1457 604e0ab8-604e0b06 call 604df358 1451->1457 1458 604e0ab6 1451->1458 1452->1457 1453->1443 1453->1447 1464 604e0b08-604e0b14 call 604e0f3e 1457->1464 1465 604e0b25-604e0b4d call 604e0fe8 1457->1465 1458->1457 1461->1433 1464->1465 1471 604e0b16 1464->1471 1472 604e0b4f-604e0b50 1465->1472 1473 604e0b52-604e0b93 1465->1473 1474 604e0b18-604e0b20 call 604dbde4 1471->1474 1472->1474 1475 604e0bb4-604e0bc2 1473->1475 1476 604e0b95-604e0b99 1473->1476 1474->1440 1478 604e0c4d 1475->1478 1479 604e0bc8-604e0bcc 1475->1479 1476->1475 1477 604e0b9b-604e0baf 1476->1477 1477->1475 1478->1440 1479->1478 1481 604e0bce-604e0c01 CloseHandle call 604e0d2f 1479->1481 1485 604e0c35-604e0c49 1481->1485 1486 604e0c03-604e0c2f GetLastError call 604de592 call 604df2c7 1481->1486 1485->1478 1486->1485
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 604E0D2F: CreateFileW.KERNELBASE(565753E5,89167401,1839FFFD,8B08758B,D043E8CF,8BE85653,00000000,604FE636,604E09D3,68F1890C,604FE61E), ref: 604E0D4C
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604E0A3E
                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 604E0A45
                                                                                                                                                                                                                          • GetFileType.KERNEL32(00000000), ref: 604E0A51
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604E0A5B
                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 604E0A64
                                                                                                                                                                                                                          • CloseHandle.KERNEL32 ref: 604E0A84
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(89167401), ref: 604E0BD1
                                                                                                                                                                                                                          • GetLastError.KERNEL32 ref: 604E0C03
                                                                                                                                                                                                                          • __dosmaperr.LIBCMT ref: 604E0C0A
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4237864984-0
                                                                                                                                                                                                                          • Opcode ID: 138532a26fc8398d47a661d6bd59b3b4535f32581592091aec2b4d2c933e6de0
                                                                                                                                                                                                                          • Instruction ID: d0c362d2864c596af16264f51721baeb3ef6219c59d67f425b29a395c1599642
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 138532a26fc8398d47a661d6bd59b3b4535f32581592091aec2b4d2c933e6de0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E6A14732A142149FDF299FA8DC51FAD3FB1AB27319F14015DE821AB3D1DB399852CB81
                                                                                                                                                                                                                          Function 604CE63E Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1668 604ce63e-604ce64f call 604cdf70 1671 604ce660-604ce667 1668->1671 1672 604ce651-604ce657 1668->1672 1674 604ce669-604ce66c 1671->1674 1675 604ce673-604ce687 dllmain_raw 1671->1675 1672->1671 1673 604ce659-604ce65b 1672->1673 1676 604ce739-604ce748 1673->1676 1674->1675 1677 604ce66e-604ce671 1674->1677 1678 604ce68d-604ce69e dllmain_crt_dispatch 1675->1678 1679 604ce730-604ce737 1675->1679 1680 604ce6a4-604ce6a9 call 604615d0 1677->1680 1678->1679 1678->1680 1679->1676 1682 604ce6ae-604ce6b6 1680->1682 1683 604ce6df-604ce6e1 1682->1683 1684 604ce6b8-604ce6ba 1682->1684 1686 604ce6e8-604ce6f9 dllmain_crt_dispatch 1683->1686 1687 604ce6e3-604ce6e6 1683->1687 1684->1683 1685 604ce6bc-604ce6da call 604615d0 call 604ce502 dllmain_raw 1684->1685 1685->1683 1686->1679 1689 604ce6fb-604ce72d dllmain_raw 1686->1689 1687->1679 1687->1686 1689->1679
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: dllmain_raw$dllmain_crt_dispatch
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3136044242-0
                                                                                                                                                                                                                          • Opcode ID: db57c649beb2e7ff1a74fb233789eed31399c9808b4b3cbef6ac84fa37665649
                                                                                                                                                                                                                          • Instruction ID: 23341dbd1f44413165ce07faf0babe59a766c2d7a99e51254b93ce53549a6bcf
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db57c649beb2e7ff1a74fb233789eed31399c9808b4b3cbef6ac84fa37665649
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99218079E11628AACB324E56C8C3F6F3A79EBB0698F014529F8155B210F3388D418BD2
                                                                                                                                                                                                                          Function 604A2010 Relevance: 4.6, APIs: 3, Instructions: 129COMMON
                                                                                                                                                                                                                          Download Yara Rule

                                                                                                                                                                                                                          Control-flow Graph

                                                                                                                                                                                                                          • Executed
                                                                                                                                                                                                                          • Not Executed
                                                                                                                                                                                                                          control_flow_graph 1789 604a2010-604a202c TryAcquireSRWLockExclusive 1790 604a219e-604a21a5 call 604a2760 1789->1790 1791 604a2032-604a203c 1789->1791 1802 604a21aa-604a21b2 call 60467680 1790->1802 1793 604a2042-604a2053 1791->1793 1794 604a21b4-604a21c3 ReleaseSRWLockExclusive 1791->1794 1796 604a20ad-604a20c6 1793->1796 1797 604a2055-604a20a5 call 60467300 * 4 1793->1797 1798 604a217d-604a2181 1794->1798 1800 604a20cc-604a20fd call 604a19d0 1796->1800 1801 604a2184-604a2194 1796->1801 1822 604a20aa 1797->1822 1810 604a2102-604a211d call 604a0b00 1800->1810 1805 604a2196-604a2199 1801->1805 1806 604a21c5-604a21c8 1801->1806 1814 604a2159-604a217a ReleaseSRWLockExclusive 1802->1814 1805->1800 1818 604a211f-604a2126 1810->1818 1814->1798 1820 604a2128 1818->1820 1821 604a2147-604a2157 call 60467620 1818->1821 1823 604a212a-604a2145 call 604a0b00 1820->1823 1821->1802 1821->1814 1822->1796 1823->1821
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,60467598), ref: 604A2021
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,?,60467598), ref: 604A2167
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32 ref: 604A21BA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$Release$Acquire
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1021914862-0
                                                                                                                                                                                                                          • Opcode ID: 749297eaf987bc4d3a408821c5c4290caa01257e1e4a34e6c7d873814046d3a8
                                                                                                                                                                                                                          • Instruction ID: c17dfbaea69fe06b8484eb87e4195ce94ca7f7dc61c7d4602bbdb5b8e4e6063c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 749297eaf987bc4d3a408821c5c4290caa01257e1e4a34e6c7d873814046d3a8
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8641F2709087858BD725AF39CA4069DFFA0BF36308F054A2DD99496311EB39A9D4D7C2
                                                                                                                                                                                                                          Function 60466AD0 Relevance: 3.8, APIs: 3, Instructions: 95COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualFree.KERNEL32(?,00000000,00008000,?,6046656E,FFE00000,00000002,?,604A1D5F,00000002,FFE00000,?,00000002,FFE00000,?,?), ref: 60466ADD
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FreeVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1263568516-0
                                                                                                                                                                                                                          • Opcode ID: 77471a66a8629f6b780d8b8b98be1d441028099016ac40ffb68daece5030cb59
                                                                                                                                                                                                                          • Instruction ID: b16ebf9322f57c9fc8d6cba1f2ea500312b71054242d9baa2a6613c8221d9606
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 77471a66a8629f6b780d8b8b98be1d441028099016ac40ffb68daece5030cb59
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A11E170B58218EBEB240E18CC14F553F5AEB32744F104825FB08DB380FA7DAC529A96
                                                                                                                                                                                                                          Function 00B63750 Relevance: 3.8, Strings: 3, Instructions: 88COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: (bq$(bq$(bq
                                                                                                                                                                                                                          • API String ID: 0-2716923250
                                                                                                                                                                                                                          • Opcode ID: 3c228e4279758a36dae11565c24f77947218f90c60b3bfc1d46bf1af7ea6a3ca
                                                                                                                                                                                                                          • Instruction ID: c74039b0d2841c6762fbed3f86ecff13d1ce087ec2d1cbd05ee228c09764155c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c228e4279758a36dae11565c24f77947218f90c60b3bfc1d46bf1af7ea6a3ca
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18210832B081944FD75A6B79581453E2BF7DBD632131842AAE90AC77D1DE388D0B83A6
                                                                                                                                                                                                                          Function 60475D10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCommandLineW.KERNEL32(type,?,?,?,?,?,00000000,00000001,?,?,60461637), ref: 60475D40
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CommandLine
                                                                                                                                                                                                                          • String ID: type
                                                                                                                                                                                                                          • API String ID: 3253501508-2363381545
                                                                                                                                                                                                                          • Opcode ID: 01985f97e7bc73ff7813cfdb4dccc840db957d5075218629a16a81126fdefc71
                                                                                                                                                                                                                          • Instruction ID: 71e06255bc10217561d1c6862419f2a8c2f9f2d40e53851df17331d4dce6a42a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01985f97e7bc73ff7813cfdb4dccc840db957d5075218629a16a81126fdefc71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6211B2B1D002185BCF319B61DC49EDEBFB5EF66218F04C429E809A6200E7795659C7D2
                                                                                                                                                                                                                          Function 604A5DA0 Relevance: 3.3, APIs: 2, Instructions: 273COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604A5F97
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 604A6001
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 17069307-0
                                                                                                                                                                                                                          • Opcode ID: cd36247b209d43198d354a0ee9b94c0034f41d3095d83dd3d828e29bfe6c4689
                                                                                                                                                                                                                          • Instruction ID: accbc0bf53be6954a3e8d789dc258184a4057cd708486e4a2f59092882499ae7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd36247b209d43198d354a0ee9b94c0034f41d3095d83dd3d828e29bfe6c4689
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 76A104726002028FD725CF68C544F65BBF1BF65318F198268E9198B79AD739ED91CBC0
                                                                                                                                                                                                                          Function 604A1A20 Relevance: 3.2, APIs: 2, Instructions: 248COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2a399552c4597c363390827536bded583eb986abbd679052aeb5e48161d8ee64
                                                                                                                                                                                                                          • Instruction ID: fd97bc2e8516b32d652c5603858c36844f678a8c9edb5a81fc6e4a59229e1d4e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2a399552c4597c363390827536bded583eb986abbd679052aeb5e48161d8ee64
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AA1D075A00A119FD718CF29C890BE9B7F5FFA8314F04812DE829977A9D738A941CBD0
                                                                                                                                                                                                                          Function 604CE3FB Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 604CE448
                                                                                                                                                                                                                            • Part of subcall function 604CE80B: InitializeSListHead.KERNEL32(60566558,604CE452,605490A8,00000010,604CE5FB,?,00000000,?,00000007,605490C8,00000010,604CE60E,?,?,604CE697,?), ref: 604CE810
                                                                                                                                                                                                                          • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 604CE4B2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3231365870-0
                                                                                                                                                                                                                          • Opcode ID: 238e2398203b5d26dcaf8b6a3c8ac6d9fe7cafb71d749fdec421a76da21db62d
                                                                                                                                                                                                                          • Instruction ID: 7331b2e027bde358df1ec626064845b5055015c962b9680d38f4ac2e9b2a8d16
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 238e2398203b5d26dcaf8b6a3c8ac6d9fe7cafb71d749fdec421a76da21db62d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B21D539284240AADB349FB9D847F983FA0DB3632CF10442DE94167291FB7D5445D6AB
                                                                                                                                                                                                                          Function 604CE502 Relevance: 3.1, APIs: 2, Instructions: 90COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __RTC_Initialize.LIBCMT ref: 604CE549
                                                                                                                                                                                                                          • ___scrt_uninitialize_crt.LIBCMT ref: 604CE563
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Initialize___scrt_uninitialize_crt
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2442719207-0
                                                                                                                                                                                                                          • Opcode ID: ed440b7a997af92a05fe21f5da254adb2287e33e73938afafb106513959c801d
                                                                                                                                                                                                                          • Instruction ID: 329e3378f3fd008ca495bea0c5c5d96edfb1de9059c57acb354d3f8e123050db
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed440b7a997af92a05fe21f5da254adb2287e33e73938afafb106513959c801d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C821D77A958254EAD7309FEE8947FAC7BA0EB3131DF10411EF41096190FB7D89019697
                                                                                                                                                                                                                          Function 00B63BE0 Relevance: 3.0, Strings: 2, Instructions: 461COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: (bq$(bq
                                                                                                                                                                                                                          • API String ID: 0-4224401849
                                                                                                                                                                                                                          • Opcode ID: b53f6c85823c7d0a565eb9a3b4e24b49581cd780daab5529b44c18a253529b5d
                                                                                                                                                                                                                          • Instruction ID: 7ab768104035d35a0197b104032437ec4c3689053eefdcc4df09f7ecb979ab4b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b53f6c85823c7d0a565eb9a3b4e24b49581cd780daab5529b44c18a253529b5d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 12F15D31B002049FDB09AB68D954B6E7BF7EFC9300F148469E506EB3A9DE39DC468B51
                                                                                                                                                                                                                          Function 604E9C8B Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetLastError.KERNEL32(8955CCCC,604FE74C,604DE571,604E8B90,8955CCCC,00000000,604FE6C6,604CEEAE,00000000,604FE74C,8955CCCC,604FE746,?,?,604FE6DA,60510573), ref: 604E9C8F
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000), ref: 604E9D31
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorLast
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1452528299-0
                                                                                                                                                                                                                          • Opcode ID: 42b132c78297e5c8140f2a2040f0d285f33a3790baf6b5042086fe08b147120b
                                                                                                                                                                                                                          • Instruction ID: f213558f16cc5260b304037024350d74ce7392404d7fb6294460bfbc0c506b01
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42b132c78297e5c8140f2a2040f0d285f33a3790baf6b5042086fe08b147120b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF11C6712182156EEA317BB7CCCAE9A7E69DF7336F7210138F514912E0DB5E4C129190
                                                                                                                                                                                                                          Function 604A07C0 Relevance: 2.5, APIs: 2, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • VirtualFree.KERNELBASE(?,00000001,00004000,?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A07CE
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,604A1E3F,00000001,?,00000001,?,?,?,604FCFA4), ref: 604A07DA
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFreeLastVirtual
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 499627090-0
                                                                                                                                                                                                                          • Opcode ID: 66e1524f213d53547bf82fea6c430b4bb33eb6dbcafc00e655dddef5a38376c5
                                                                                                                                                                                                                          • Instruction ID: 2fc7f92f52d749e6873022fbabe4f2d249790bd47a1eabcec03bf2e642a0c4af
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66e1524f213d53547bf82fea6c430b4bb33eb6dbcafc00e655dddef5a38376c5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E9D0C934240209BBAF102F61EC48B553F59AB22B51F008411FA19A9961EA36E9509E54
                                                                                                                                                                                                                          Function 60474D30 Relevance: 1.6, APIs: 1, Instructions: 149COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6047433A,?), ref: 60474D9F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: InfoNativeSystem
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1721193555-0
                                                                                                                                                                                                                          • Opcode ID: db009bd98a5893458f9af9014d4acb859d24588f876cc4a0a7bd1e16e10568ce
                                                                                                                                                                                                                          • Instruction ID: 89a342d240dafb7517bec17c77881d539ed3b1c244e713ed1396850e60a986e7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: db009bd98a5893458f9af9014d4acb859d24588f876cc4a0a7bd1e16e10568ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A517D70E042189FCB35CFA8C484AEDBBF2BFA9364F15C129E455AB351D7789981CB81
                                                                                                                                                                                                                          Function 60477270 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 604772B8
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FileModuleName
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 514040917-0
                                                                                                                                                                                                                          • Opcode ID: 86e37a8bf68537f3201c85c89a8aacc50620bd7a89ee728aae3b40f7e5c49e15
                                                                                                                                                                                                                          • Instruction ID: b7fa2343ef386f9815024d35cf1c70d62c7ac4cd8fa6473281aafbc8d8c4f76b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86e37a8bf68537f3201c85c89a8aacc50620bd7a89ee728aae3b40f7e5c49e15
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B2141B1D002095BDB309FA69C45DEFBFB8EF66308F40842DE85576200D7755945CBA1
                                                                                                                                                                                                                          Function 00B6385C Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                          • Opcode ID: f7b01b5827b4e0f7074fcfb9a724334aea57a9cab819b24c31bdf1f5c7cbe7e3
                                                                                                                                                                                                                          • Instruction ID: 7b042628d4a8c6cf3eb56a406c0fb20b9f4cc78bc5d5facd244b51c109352e79
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f7b01b5827b4e0f7074fcfb9a724334aea57a9cab819b24c31bdf1f5c7cbe7e3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89C16034B00218DFDB05DBA8D954AAE7BF7EF89700F148069E905A73A4DB39DD41CB91
                                                                                                                                                                                                                          Function 604E7CC4 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • IsProcessorFeaturePresent.KERNEL32(00000017,604D226B), ref: 604E08E2
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: FeaturePresentProcessor
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2325560087-0
                                                                                                                                                                                                                          • Opcode ID: 2f85578fcd3bf92a21dc8cc330ca50db2ce42154a7c992b926f630c119d77fd3
                                                                                                                                                                                                                          • Instruction ID: e3cd310b672f94ccacb6aa55d63aaa51d462b6f1d6c0a53941a1badb801d16b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2f85578fcd3bf92a21dc8cc330ca50db2ce42154a7c992b926f630c119d77fd3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 54F0BB3514030E76FF212E625C07F9A3E196F7175EF504028BF28681D2EFAAC8A192D1
                                                                                                                                                                                                                          Function 604E0D2F Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileW.KERNELBASE(565753E5,89167401,1839FFFD,8B08758B,D043E8CF,8BE85653,00000000,604FE636,604E09D3,68F1890C,604FE61E), ref: 604E0D4C
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CreateFile
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 823142352-0
                                                                                                                                                                                                                          • Opcode ID: b0e8d94829b999177352271e88343e6dccc9e1f9ab8a0ab12b3671f2b92aef4b
                                                                                                                                                                                                                          • Instruction ID: 87ad05c4e5932bb1dd5d36cc2dc58799e8f6bfadf531effa7de479d6e4dc6040
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0e8d94829b999177352271e88343e6dccc9e1f9ab8a0ab12b3671f2b92aef4b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57D06C3200010DBBDF029F84DD06EDA3FAAFB48714F014000BA1866020C736E821AB90
                                                                                                                                                                                                                          Function 00B6BEAF Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Te^q
                                                                                                                                                                                                                          • API String ID: 0-671973202
                                                                                                                                                                                                                          • Opcode ID: e0a44e343054fe6a7e3dd9dd183ac573c0b9e3c0b1e5eaf3ec105bdca5b6c41d
                                                                                                                                                                                                                          • Instruction ID: ee74242af562a9c303c493792d46d4298d2b0b7510603ac44dd4c444e57604fa
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e0a44e343054fe6a7e3dd9dd183ac573c0b9e3c0b1e5eaf3ec105bdca5b6c41d
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 50418D347005048FCB44DF2DC998A6EBBF6FF89710B2585A9E506DB3B6DA71DC058B90
                                                                                                                                                                                                                          Function 00B6BEC0 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: Te^q
                                                                                                                                                                                                                          • API String ID: 0-671973202
                                                                                                                                                                                                                          • Opcode ID: 52017de9d414e3a4b51fac271efc84ec14af432e644764325b0d8a0e2cfe1f15
                                                                                                                                                                                                                          • Instruction ID: b1d27c2755982ef9a11ae71e00212a87b43a04b48de709043d76138dc4f8a2fb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 52017de9d414e3a4b51fac271efc84ec14af432e644764325b0d8a0e2cfe1f15
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1F417E347005048FCB44DF6DC598A6EBBF6FF89710B2584A9E506DB3B6DA71EC058B80
                                                                                                                                                                                                                          Function 00B62B10 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: LR^q
                                                                                                                                                                                                                          • API String ID: 0-2625958711
                                                                                                                                                                                                                          • Opcode ID: cf01b72b4454834e799bde90d9232138a7ff8272e4c5d729caccedaaae867c4e
                                                                                                                                                                                                                          • Instruction ID: 024d11a65a04ee5cfdd0c3607df3c822f757bd613a0544d6143d5796ba17f8d8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf01b72b4454834e799bde90d9232138a7ff8272e4c5d729caccedaaae867c4e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E3130317406058FD709AB35C454A2E33B3EFCAA047258068D24ACF3A8EE35DC43CB8A
                                                                                                                                                                                                                          Function 00B64237 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID: (bq
                                                                                                                                                                                                                          • API String ID: 0-149360118
                                                                                                                                                                                                                          • Opcode ID: 15bbf9292ea14c405976df6fb2451fab07a2bf1675db07d6d361ce884c090078
                                                                                                                                                                                                                          • Instruction ID: 548320d73825796e0c5dcbd915c1cbf36fe092c4799d0e3dc4c3668df6dce108
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 15bbf9292ea14c405976df6fb2451fab07a2bf1675db07d6d361ce884c090078
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 001125226081804FD30A573958242792FA2DFC3611B5940EED485CBB92CE389D4E8396
                                                                                                                                                                                                                          Function 00B61049 Relevance: .8, Instructions: 841COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c719b6cf6a30315c254d956291716e96e7ff350d1355a418ac8f23f13c4ad196
                                                                                                                                                                                                                          • Instruction ID: f0dda143e3354b51a6b026b2d656daee3cdd0f9686ca07fbc1dafd7cb031b914
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c719b6cf6a30315c254d956291716e96e7ff350d1355a418ac8f23f13c4ad196
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F82D178641209DFDB06EBA4D654F6E7B76EB88300F108814E801337ADDB3AAD95DB35
                                                                                                                                                                                                                          Function 00B61058 Relevance: .8, Instructions: 835COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4c0a1a8a6911258710235791d9af19bc1cd01f7759bd2325cd3ef0017a9ef3c2
                                                                                                                                                                                                                          • Instruction ID: 9b4feff71acb1acff2bb1b83025cf9c98d239a82793a3fc9f31890a34c14a443
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c0a1a8a6911258710235791d9af19bc1cd01f7759bd2325cd3ef0017a9ef3c2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B82C078641209DFDB06EBA4D654F6E7B76EB88300F108814E801337ADDB3AAD95DB35
                                                                                                                                                                                                                          Function 00B6B0B0 Relevance: .7, Instructions: 680COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 01a1ac9ab7d0a9fb9566ce0d3b7b630ed6832dbcf8f59448e4c32ec7d451dbab
                                                                                                                                                                                                                          • Instruction ID: 84b2a5fcabf677c45ab45b4bc93d5c1891dc2766c5a93687593e9ed62e5d0d11
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01a1ac9ab7d0a9fb9566ce0d3b7b630ed6832dbcf8f59448e4c32ec7d451dbab
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F522634A01200CFD719EF74D958A6977B2FF84305B24C4A9D41A9B36AEB79EC86CF41
                                                                                                                                                                                                                          Function 00B6AF90 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4a4745babb01ebabe712265db33c3478f824dc80bdedfa6cff890f2efe6a1663
                                                                                                                                                                                                                          • Instruction ID: a2026c6fdc50a6624b954843abc5b087c2b75bac1b1451a984a5fb22962873c6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4a4745babb01ebabe712265db33c3478f824dc80bdedfa6cff890f2efe6a1663
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E661087290A3805FD703973899615D9BFB1EF83314B0981EBC185CB1B7EA689D4EC7A1
                                                                                                                                                                                                                          Function 00B6C060 Relevance: .2, Instructions: 185COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 884b0494ae5ad28ee68f62c1790b77fd2af39f25338561171e7186fa01da5091
                                                                                                                                                                                                                          • Instruction ID: d37659e00aaff6bb4e387083e378619b79cb12f7bcac3a7dc30402b6c6a7c300
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 884b0494ae5ad28ee68f62c1790b77fd2af39f25338561171e7186fa01da5091
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6571E7726006049FD355DB24CA5059BFBF2EF843047158E6E804A9FB65EF72F94A8BC1
                                                                                                                                                                                                                          Function 00B6C070 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6197050c6821cefca93556c53438fc0870fce6f9fcfcbb8a3410e9cd85b400a3
                                                                                                                                                                                                                          • Instruction ID: 6c536340c7345214ad7f1eea39d498199d627e15607816b8b5c294bbea4533df
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6197050c6821cefca93556c53438fc0870fce6f9fcfcbb8a3410e9cd85b400a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B71E7726006049FD355EB24CA5059BFBF2EF843043558E6E804A9FB65EF72F94A8BC1
                                                                                                                                                                                                                          Function 00B6BB99 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 7e648f71376c2ccf5f2d45c610495092aa310228578ecd4652134d4c2d73f59c
                                                                                                                                                                                                                          • Instruction ID: 0c158f49241569ee993de649674c1f71b3f5e4a00baf3c038f33db11f498488e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e648f71376c2ccf5f2d45c610495092aa310228578ecd4652134d4c2d73f59c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA81E638942105CFD712EB64EA99E59BBB2FF44304B15C5A8D1298B329E779ECC9CF40
                                                                                                                                                                                                                          Function 00B65A91 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e09c57e7ef729585aec6e2ba78e3939b6ee683358bb3e4ed1cf7e9ee81f2664e
                                                                                                                                                                                                                          • Instruction ID: 05d7c9c003bfc878892a9b821da53edaa4feb39521bdc241150d694318aae20d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e09c57e7ef729585aec6e2ba78e3939b6ee683358bb3e4ed1cf7e9ee81f2664e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 37514B75B006058FCB14DF69D994E6EBBF6EF88310B1181A8E50ADB365DB74EC05CBA0
                                                                                                                                                                                                                          Function 00B6C798 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 1ec9227d46f5a1722a34f377f28006b4b1a7c3eae82456b037e5e9f430da40dc
                                                                                                                                                                                                                          • Instruction ID: e4b90791dec4a629ac745bd78252612ac5086590897c25854f032d94574ba655
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ec9227d46f5a1722a34f377f28006b4b1a7c3eae82456b037e5e9f430da40dc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 565103726006009FC315EB24C94149AFBF2EF853043118A6ED08A9B765EF72FA4B8BC1
                                                                                                                                                                                                                          Function 00B65240 Relevance: .1, Instructions: 132COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 5139c58115fa4b1e7815cd28c69c089ab5c33399aa7050c56c6b4adc2406d397
                                                                                                                                                                                                                          • Instruction ID: f24efb45ab6b8e184cb84912e46190ed497326faa8cec11f1969d948adb94ea3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5139c58115fa4b1e7815cd28c69c089ab5c33399aa7050c56c6b4adc2406d397
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2513B30A006189FCB14DFA4D494BADB7F2FF88711F24C0A9E906A7364DB389C51CB90
                                                                                                                                                                                                                          Function 00B62850 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 0ca3a18d2e181a263592d23226a35ebb7cd84b4d03aa3ca980b52000cf97a7c1
                                                                                                                                                                                                                          • Instruction ID: c81a7e18c9cdb364814c401e53eabb560f54bde97ed2a98d2586c50dac2c4cb1
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ca3a18d2e181a263592d23226a35ebb7cd84b4d03aa3ca980b52000cf97a7c1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0410A74A10208DFDB18EFB5D984AADBBF2FF88300F148169D505A73A8EB359845CF60
                                                                                                                                                                                                                          Function 00B65308 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 334091a2da9659eee8ed8ccfe3aa564fb71dbe6e40563d91f8d44a235c88fa28
                                                                                                                                                                                                                          • Instruction ID: 9bdfe26863a153987173675448ec7d19e0916281e7d9ceee4c65faf19c34138e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 334091a2da9659eee8ed8ccfe3aa564fb71dbe6e40563d91f8d44a235c88fa28
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5741FD34A00514DFDB04EFA5E494AADB7F2FF88715F2080A5E916A73A4EB389D42CF50
                                                                                                                                                                                                                          Function 00B62844 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: dcc964dc2317a121480fe940c9cf7797bb0b6520efc7db892985dee01f8c8b2c
                                                                                                                                                                                                                          • Instruction ID: a12a71519dfef3af70551057c5094a958efaa6b3055e431218f138654dc5750b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dcc964dc2317a121480fe940c9cf7797bb0b6520efc7db892985dee01f8c8b2c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A6311E70A102099FDB18DFB5D984AEDBBF2FFC8340F144579D501A72A8EB399945CB21
                                                                                                                                                                                                                          Function 00B62C48 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 61d43a310a1f1a6340567fe33c73b0635c93ed7794bb25ce9d457a6373aeb6ac
                                                                                                                                                                                                                          • Instruction ID: 79dd4b2fecb37c7336c86e60cd0c460d3092aff19b485fdafa11debf5b2490e7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 61d43a310a1f1a6340567fe33c73b0635c93ed7794bb25ce9d457a6373aeb6ac
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D413B34900209CFDB05EFA8D994BEEBBB1FF89314F108165D505A73A8EB349945CF90
                                                                                                                                                                                                                          Function 00B6B0A0 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f925840f871c5ecafef771c629abd1228cf8db7463cc479a7910c1133bba092b
                                                                                                                                                                                                                          • Instruction ID: d78fb19fd20e8b9fc685e6319d79ae080e3de5c727a4c5ee669bbe7c9854cd3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f925840f871c5ecafef771c629abd1228cf8db7463cc479a7910c1133bba092b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0531E830A002049FDB04EB78D954A9DB7F6FF85310F10852DD01AE73A5EF79AD4A8B91
                                                                                                                                                                                                                          Function 00B62C58 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ad3f9b4c9feb4f4cad9b0d944b9f588d2b57bd068a23f0dc7ff161b2c4b4b202
                                                                                                                                                                                                                          • Instruction ID: 989bedd81fb7dd3d59f03bea31d075579da0a696b81e99d9cf4586d42b4df1dc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ad3f9b4c9feb4f4cad9b0d944b9f588d2b57bd068a23f0dc7ff161b2c4b4b202
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F31F934900209CFDB05EFA8D594BEEBBB1FF89314F108165D615A7368EB34A945CF90
                                                                                                                                                                                                                          Function 00B64B5E Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3560284a17447feb59fc6fe8fd858590dc313b07d02fc00180b27feed8b6a5ce
                                                                                                                                                                                                                          • Instruction ID: d0bf70d8e9f0b4224eb5f04217ad66123ebc7ae43be875e45a8fa7229b18f058
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3560284a17447feb59fc6fe8fd858590dc313b07d02fc00180b27feed8b6a5ce
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB21A4312042455FC706EB38EA50B6EBBA3EFC0310B558A79D0158B769DF70ED8E8795
                                                                                                                                                                                                                          Function 00B6288D Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e4182c137dd6ef1cb0a85dfe78e1522a04bc633905ed65ad2c72ee134cdac4d1
                                                                                                                                                                                                                          • Instruction ID: 264da44aa30c5e9f523d71cbed5c28a7988613085030e50b7a54554f10884186
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e4182c137dd6ef1cb0a85dfe78e1522a04bc633905ed65ad2c72ee134cdac4d1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7931E174910208DFDB18DFA4D9946ADBBF2FFC8340F144165D505A7268EB799845CF21
                                                                                                                                                                                                                          Function 00B6CEC0 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6f269a8501f15fbfc6cab102148c548c02cd4d91f2f1e46318b6a1a93d4c78a6
                                                                                                                                                                                                                          • Instruction ID: 4cda32e2402fbd8a4b91e0e9bd4c922dbed78ed131c1ad9ce0d70c348ecea3ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f269a8501f15fbfc6cab102148c548c02cd4d91f2f1e46318b6a1a93d4c78a6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB215AB1C01248DFDB11CFA8D5587ADBFF2EB48314F2480AAE845A7350DB799948CF91
                                                                                                                                                                                                                          Function 00B64B80 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: b2b47574b98d5d428e3f1448f4983fa29e201bb44b2cfcd996df696b6482d04e
                                                                                                                                                                                                                          • Instruction ID: 25be71684cb5c21f42ac8da922dad36a53105c698d7c5a6a76f59af1e9dfd8ac
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b2b47574b98d5d428e3f1448f4983fa29e201bb44b2cfcd996df696b6482d04e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E12166312002055FCB15EB79E940A6EB7A6EFC4310B448A38D4158B369DF70FD8E8B95
                                                                                                                                                                                                                          Function 00B6CED0 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: dd3c65b9810d84918a5e0062f4a5314cc642736f0634c706b2c28c57a2b318c7
                                                                                                                                                                                                                          • Instruction ID: 23f761afebd5f574c22bef6307cc5ceaa3905252ad58c61f7dfe6a62b8a8c7cc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd3c65b9810d84918a5e0062f4a5314cc642736f0634c706b2c28c57a2b318c7
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C214871D00248DFDB11DFA8D558BADBFF6EB48314F20806AE845A7350DB799845CF91
                                                                                                                                                                                                                          Function 00B62908 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 97535f37366887f9870bcded97420744a4284d3930ccb5bbe52764a0234de0a4
                                                                                                                                                                                                                          • Instruction ID: 4328f11fe583878aeac92d2f2487da88406bfbd5c1fe052773acf9d3f1d9da13
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97535f37366887f9870bcded97420744a4284d3930ccb5bbe52764a0234de0a4
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E621EB75E101099FDB14DFA4D980AADBBF2FFC8340F108165D915A72A8EB749845CF21
                                                                                                                                                                                                                          Function 00B65C68 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: def727c9795fc85d127c46f3620c3da5b7edb536d0d661084134b1b16a22162c
                                                                                                                                                                                                                          • Instruction ID: 7da342fecae1c7faf4a45ef2f8a30101256e995978f61ff8f189f058643cb2bb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: def727c9795fc85d127c46f3620c3da5b7edb536d0d661084134b1b16a22162c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE210835A002188FDB14DBA9D588ADDBBF5EF4C310F2400A5E505BB3A1DB79AD84CBA0
                                                                                                                                                                                                                          Function 00B6296A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: bc4a996e49683f88cefc225fcd1239effd7aeb4158348df6eb3e9e307bcc1ecc
                                                                                                                                                                                                                          • Instruction ID: 267a704b4125f642213d57ae9a25bd962e246879d0afad159e838560561126fc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc4a996e49683f88cefc225fcd1239effd7aeb4158348df6eb3e9e307bcc1ecc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B219574A402089FDB14DFA4D984AACBBF6FF89300F204169D915A7368EB349D45CF51
                                                                                                                                                                                                                          Function 00B66888 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 78b5f3a0c231cd825410a169732304522eea9266f9549f2e28aef8675c887905
                                                                                                                                                                                                                          • Instruction ID: 5d6eeaa073a264c193e7ff1e76accf0ad93d6a40d0fdd61a6d2559f7372c489d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78b5f3a0c231cd825410a169732304522eea9266f9549f2e28aef8675c887905
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB116D72900205CFDB10DBA4C9487EEBBF1AF49305F1084AAD406B7292DB798E45CB51
                                                                                                                                                                                                                          Function 00B65C5A Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: e14a69c0024200f9d541b7ba3ee2c4df01d51466b6aa8953b8effeb34ddc0fcd
                                                                                                                                                                                                                          • Instruction ID: 1135700dba0ee35e36ed3070eb460034a58c8fcf9822195edc001cbaf43d0e7d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e14a69c0024200f9d541b7ba3ee2c4df01d51466b6aa8953b8effeb34ddc0fcd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 08116A35A00618CFDB10CBA9CA98BDDBBF1AF4C314F2500A9D401BB3A0DB799D84CB60
                                                                                                                                                                                                                          Function 00B641A2 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 11c35aa827491331ee22a8af32a70a2f7557f9f4b8ddf8640cbfb288d2d2b20a
                                                                                                                                                                                                                          • Instruction ID: ef54ca888f33fa4bfcc6aebd26b0258b7f50d5c728273fa6e8063fb5c9c1f8ab
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 11c35aa827491331ee22a8af32a70a2f7557f9f4b8ddf8640cbfb288d2d2b20a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C401F5327082855FD7066B355C2427E2FB6EB8625176944AAD405DB392CE304D0EC76A
                                                                                                                                                                                                                          Function 00B6C000 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 74b9fa0db887afe3a2188b1fa793b0135e611610122e5a8a917166de977a82a5
                                                                                                                                                                                                                          • Instruction ID: 9c2d3a90a45bfa60d4b1eba7d06bc1265dea685b29ea497d4203c30226f24be9
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74b9fa0db887afe3a2188b1fa793b0135e611610122e5a8a917166de977a82a5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A018C313101158FCB44EF28E984E99BBF1FF85B14B1185A9E105CB376EB31EE4A8B80
                                                                                                                                                                                                                          Function 00B632E0 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: df45385229ade1d463be20c8cf69bd352d0c46c038d109b9b3cb521c5b262ab2
                                                                                                                                                                                                                          • Instruction ID: 995cee01733ce5b91854e434a1e56baed58cb9900db52362d611bd9f68e2898e
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: df45385229ade1d463be20c8cf69bd352d0c46c038d109b9b3cb521c5b262ab2
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE115B34A14284CFEB05EFB8E968BAE7FF2AB89301F044469D502A73A5DF385905CB51
                                                                                                                                                                                                                          Function 00B65940 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6046a35d09d96348fc9840f107ad603dc110aa7820b045e000140152beba6182
                                                                                                                                                                                                                          • Instruction ID: 5167138f371708b77a713f381b13290e22a6ae49d2ded3b17b819d423307bf38
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6046a35d09d96348fc9840f107ad603dc110aa7820b045e000140152beba6182
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 80013C763002248B8704AB69E89496AB7FAEBC9761315857AEA06C7351DE319C06D7A0
                                                                                                                                                                                                                          Function 00B62A80 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9a355d4b1f79d1160a498bf15c1809ab49d7288963ea605d6be94477f8a3fac5
                                                                                                                                                                                                                          • Instruction ID: df55b15c3af0460a503f5b453629add8cc301f5f10863306b77ac63a5423b0b2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a355d4b1f79d1160a498bf15c1809ab49d7288963ea605d6be94477f8a3fac5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5101BC766007008FCB129B38C60855ABBE2EF8231472589EAD14ACF325DF30EC088BC1
                                                                                                                                                                                                                          Function 00B632F0 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 24ec08b592afda52e09d5c831fabbd585ed8672a5108e22d972149b942c4d5cb
                                                                                                                                                                                                                          • Instruction ID: c3b1bb5acd000ae623376e798f4752866c1b15570c84cb7a463d492001824506
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24ec08b592afda52e09d5c831fabbd585ed8672a5108e22d972149b942c4d5cb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB011E34A10244CFEB04EFB8E958BAE7BF2EB89301F008469D502973A5DF395845CB51
                                                                                                                                                                                                                          Function 00B65931 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3c69ac057489773e69edaf248df4dfe2246ee9ade4a171fc625e69c73e9bac71
                                                                                                                                                                                                                          • Instruction ID: ec491bf2c163a809ab4e53701330fe4107a3228a73d043d72ccd4a9b1b208f3c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3c69ac057489773e69edaf248df4dfe2246ee9ade4a171fc625e69c73e9bac71
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2F096777011148FC704EB29E894E6A7BB6EBD936571681BEE909C7361DA309C06C7A0
                                                                                                                                                                                                                          Function 00B66388 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: ed268d6d7b143e77b786be85f78b1c69efdba85c8a5fc61bdd32a9601410c879
                                                                                                                                                                                                                          • Instruction ID: c7b8d7bf97f9ce48a80112acc2f1cadc158a9bec4e1e8ddfd536fd53e6fd4991
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed268d6d7b143e77b786be85f78b1c69efdba85c8a5fc61bdd32a9601410c879
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 62F04975905288AFCF01EBB4E9519ACBFB2DF56200B1181EAD849EB262DA305E4DCB41
                                                                                                                                                                                                                          Function 00B641E0 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 995840ba4c8198a07926edc8530a917456b55b7bc64d7a543a9df573235e9bbe
                                                                                                                                                                                                                          • Instruction ID: b360d99b332bd35658b8b58f233cda662b18ec29939a8876c098d20ae5ad2f19
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 995840ba4c8198a07926edc8530a917456b55b7bc64d7a543a9df573235e9bbe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1FE0E5327041082F8B08A6A66D5197F6AEAEBC82607540839F109D7340DF316D0A47A9
                                                                                                                                                                                                                          Function 00B66398 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 4f451afd0f429fa4ab879ed18848c0281c5bd5473b52dd1e3d031b1329efa96f
                                                                                                                                                                                                                          • Instruction ID: 21bdb48f16b0f66d7cf20e5a3dc5f5d92e38801de7f747e5b31e1ab2ef5abe00
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f451afd0f429fa4ab879ed18848c0281c5bd5473b52dd1e3d031b1329efa96f
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BF01235A0020DEFCF44EFA8D941A6DBBF6DF84300F1041A89909A7354DA305F49DB51
                                                                                                                                                                                                                          Function 00B62D94 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: a739f1f921da956019bfb92e204c16a320ae7fd72131dd0e83aebf563853eba3
                                                                                                                                                                                                                          • Instruction ID: 2b73b3d070373a51f13a37ef5f6667bd5480b1c4141ac892bbdcc096a0c0ff78
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a739f1f921da956019bfb92e204c16a320ae7fd72131dd0e83aebf563853eba3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F05E72E141188FC754EFB885055DD7BF0EB89300B2140BAD109D7251EB308D048B82
                                                                                                                                                                                                                          Function 00B6CFE0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 35288ac8ba3dd5bd5d6993104bd1f7b81179563059457d876747ee8ad0e7c6fd
                                                                                                                                                                                                                          • Instruction ID: f6eda832253880b318da03dfbd561bd4b854fc18909720083425c79c2648ce4b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 35288ac8ba3dd5bd5d6993104bd1f7b81179563059457d876747ee8ad0e7c6fd
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5AE0923590A3405BEB22069175343B03FA5DB42319F1980DAD88D4BBD2E7EE4C8AE792
                                                                                                                                                                                                                          Function 00B62DA0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 1d76c65e09a6e0c778fd94b9d2e138350695d7e1fca8fc30dc45348bdbcfed23
                                                                                                                                                                                                                          • Instruction ID: eeb31618bd0b37ecba1a03c35ccc80775002133da8bea1b729af3fc56cc41de2
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d76c65e09a6e0c778fd94b9d2e138350695d7e1fca8fc30dc45348bdbcfed23
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81E0C971E101188F8B84EFBD95056EE7BF5EB49311B2140BAE619E7311EA709E018B91
                                                                                                                                                                                                                          Function 00B61FF8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 532bcede17e056fdddf276282560526110f257c64bd2107b1cb86a12dde3df2c
                                                                                                                                                                                                                          • Instruction ID: c9840231c03fffd0cea0f5ee0526ffe3b8211e077553ad1f5cd29286058a7bbc
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 532bcede17e056fdddf276282560526110f257c64bd2107b1cb86a12dde3df2c
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09E092393042808FDB125778D828A697FE6DFC7215B0A04EAE045CB772CE748C01C761
                                                                                                                                                                                                                          Function 00B6374E Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 2c83f90f4d5a55d325462d2bb93665b0b91996b02610ff483aa13391fda4b18b
                                                                                                                                                                                                                          • Instruction ID: d69cbc0a066a914dd466b2202e3d8147026f7323af1ce89ec5bada6e137e1ebe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c83f90f4d5a55d325462d2bb93665b0b91996b02610ff483aa13391fda4b18b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2D0C27B7001104783299665A904A7B22F7DBC862132D402ADD09C3324EE388E0B53A1
                                                                                                                                                                                                                          Function 00B637EE Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: f5092c28f68c34a868beb0d07b796aa427320e413b3318ffebd7525ca5a74fdc
                                                                                                                                                                                                                          • Instruction ID: 0fe46f527d55adc4d09373b1372d9b140995c2cc9cf8bbf1563fddc2291e0737
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5092c28f68c34a868beb0d07b796aa427320e413b3318ffebd7525ca5a74fdc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8CD02B3330010057D71456596C00AB722EBE7C8335B18402AFA08C3220FE759C024390
                                                                                                                                                                                                                          Function 00B666C8 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 6ff56d8382eacf146aa5699ce084a729236e977f607c5198118b53c6adf4d7b5
                                                                                                                                                                                                                          • Instruction ID: 2c6d2b00dd72fa0766be6c9f5922d9c857be6c3ad9ce5a99d33b1b2b7ba4af89
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6ff56d8382eacf146aa5699ce084a729236e977f607c5198118b53c6adf4d7b5
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: ECD01233B041701BD705325C78143FD26D6CBC9262F4A01B7F615E7356CD648D075795
                                                                                                                                                                                                                          Function 00B66469 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 3ff181d870b709bea4aa403b4aaa7b5bcb40bd6332e95ead7d7fba11d8f50d8a
                                                                                                                                                                                                                          • Instruction ID: 097a29ae5f21cc83fa443fe48a060a0903c46e31876a47825510bb036e4fd652
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3ff181d870b709bea4aa403b4aaa7b5bcb40bd6332e95ead7d7fba11d8f50d8a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38D05E7AA496804FCB05D728E0909547BB2AF9931071605E9E55ACB3BAD924CC86CB05
                                                                                                                                                                                                                          Function 00B66478 Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: aca6774fa8d5fda18a68568272a4bf44102ab4a8a23db0af5f27e2370ac0c5fe
                                                                                                                                                                                                                          • Instruction ID: d529a790d194382e8e93eee3ff3b01800808f6dcb4460e2b8f434dab16cc0133
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aca6774fa8d5fda18a68568272a4bf44102ab4a8a23db0af5f27e2370ac0c5fe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B2C012353802088FC708EB6CE080C25B3FAABCC71031044B8E619CB339DE20EC828A18
                                                                                                                                                                                                                          Function 00B65640 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: c55110c4ab3520c0b9919b90a9505f7fddf10f8a28b75e18e18b44bbb373269b
                                                                                                                                                                                                                          • Instruction ID: 05470ce5e5fa6ddd1b998ee0b22856f3cd0760bc18d94e455e27cc08bf9cdbe5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c55110c4ab3520c0b9919b90a9505f7fddf10f8a28b75e18e18b44bbb373269b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BCB02B3010020957C6100625FC088213B1DEB4011474001D4AC0C02110ED23E8208081
                                                                                                                                                                                                                          Function 00B6CAA0 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3468536122.0000000000B60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B60000, based on PE: false
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_b60000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                          • Opcode ID: 9a24a11e2a69ca79b229a159f148e4c3e25387b9bf4f7566e2eea9aa219d52d0
                                                                                                                                                                                                                          • Instruction ID: 24b98469c34045e2d20c152f7894e134852a1828ab3cfcdbe16b9dd396bbbad6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a24a11e2a69ca79b229a159f148e4c3e25387b9bf4f7566e2eea9aa219d52d0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CB092E3DA18806AFA404990A9A97803360D720703F410260900994A80B058B6024D1A

                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                          Function 604AE130 Relevance: 18.2, APIs: 12, Instructions: 162threadtimeCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 604AE6C0: GetCurrentThread.KERNEL32 ref: 604AE6C7
                                                                                                                                                                                                                          • QueryThreadCycleTime.KERNEL32(00000000,00000000), ref: 604AE170
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 604AE1F7
                                                                                                                                                                                                                          • GetThreadPriority.KERNEL32(00000000), ref: 604AE1FA
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 604AE204
                                                                                                                                                                                                                          • SetThreadPriority.KERNEL32(00000000,00000002), ref: 604AE209
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 604AE267
                                                                                                                                                                                                                          • GetCurrentThread.KERNEL32 ref: 604AE276
                                                                                                                                                                                                                          • SetThreadPriority.KERNEL32(00000000,?), ref: 604AE281
                                                                                                                                                                                                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 604AE28F
                                                                                                                                                                                                                          • __Init_thread_header.LIBCMT ref: 604AE2F3
                                                                                                                                                                                                                          • __Init_thread_header.LIBCMT ref: 604AE371
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(?), ref: 604AE392
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: EnterCriticalSection.KERNEL32(60566154,?,?,604FE6B4,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?), ref: 604CCFE7
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: LeaveCriticalSection.KERNEL32(60566154,?,604FE6B4,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?), ref: 604CD01A
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: WakeAllConditionVariable.KERNEL32(?,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?,?,?,604B2085), ref: 604CD08D
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Thread$CurrentQuery$PerformancePriority$CounterCriticalInit_thread_headerSection$ConditionCycleEnterFrequencyLeaveTimeVariableWake
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1831388462-0
                                                                                                                                                                                                                          • Opcode ID: f8ba9a6f7c27788cf0cd7c8f4efd0ecf9d1eeb36953afb5d9e0bb415c09b0cbe
                                                                                                                                                                                                                          • Instruction ID: a9ccffaf3cba59462507087b385c66bee3a7edbddf8e2bbdde33e05808d7fb76
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8ba9a6f7c27788cf0cd7c8f4efd0ecf9d1eeb36953afb5d9e0bb415c09b0cbe
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05618071518701DFC712DF39C88595ABFB4FFBA340F128B2AE895A2261EB359841DB42
                                                                                                                                                                                                                          Function 605221E0 Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 282COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                                                          • String ID: "-Infinity"$"0x%llx"$"Infinity"$"NaN"$"Unsupported (crbug.com/1225176)"$%lld$%llu$%s:%d: assertion %s failed: %s$-Infinity$..\..\third_party\libc++\src\include\string$0x%llx$Infinity$NULL$NaN$__pos <= size()$false$string index out of bounds$true
                                                                                                                                                                                                                          • API String ID: 4218353326-2785851941
                                                                                                                                                                                                                          • Opcode ID: 4e32ef367f5bd1e2fbf32c2606e12e9c81f37a5d552e5555d0eae0af3dc32a6e
                                                                                                                                                                                                                          • Instruction ID: ed226d8dadff397e0f6cb7102220ae0ada20f867788e667602c08015a0cf6c16
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4e32ef367f5bd1e2fbf32c2606e12e9c81f37a5d552e5555d0eae0af3dc32a6e
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6F915879A58310BADB10CE24AC40F6A7FD6AFB6388F104D2DF8849B1D1E7358D059292
                                                                                                                                                                                                                          Function 604702F0 Relevance: 24.7, APIs: 1, Strings: 13, Instructions: 158COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • __Init_thread_header.LIBCMT ref: 60470642
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Init_thread_header
                                                                                                                                                                                                                          • String ID: XW`$,XW`$8XW`$DXW`$Friday$Monday$PXW`$Sunday$Tuesday$\XW`$hXW`$rday$tXW`
                                                                                                                                                                                                                          • API String ID: 3738618077-3713428989
                                                                                                                                                                                                                          • Opcode ID: 97c42054eaaf0d2d0ba09cf7a5e5f86a027fc228b24b603907b44c0880b966a3
                                                                                                                                                                                                                          • Instruction ID: 9b2247f653994a24708852c55cb874f0188d2255a340decca00e52202fd85c32
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 97c42054eaaf0d2d0ba09cf7a5e5f86a027fc228b24b603907b44c0880b966a3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0081DA709092A4CFEB26CB18C954B043FE1A733304F6A8199D4446F3B1D7FA9989EB57
                                                                                                                                                                                                                          Function 60478110 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 272COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentProcess.KERNEL32(?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001,?,?,?,?,?,?,?,00000000), ref: 6047827D
                                                                                                                                                                                                                            • Part of subcall function 604840E0: ExpandEnvironmentStringsW.KERNEL32(?,?,00000400,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 604841A2
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • DisplayVersion, xrefs: 604781A7
                                                                                                                                                                                                                          • UBR, xrefs: 60478197
                                                                                                                                                                                                                          • ReleaseId, xrefs: 60478346
                                                                                                                                                                                                                          • null pointer passed to non-null argument of char_traits<...>::length, xrefs: 60478490
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 604784A4
                                                                                                                                                                                                                          • __len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 60478484
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6047849F
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6047846E
                                                                                                                                                                                                                          • __len == 0 || __s != nullptr, xrefs: 60478473
                                                                                                                                                                                                                          • SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 6047817E
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6047847F
                                                                                                                                                                                                                          • __s != nullptr, xrefs: 60478495
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentEnvironmentExpandProcessStrings
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$DisplayVersion$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
                                                                                                                                                                                                                          • API String ID: 2339647510-1199739361
                                                                                                                                                                                                                          • Opcode ID: 5e1c54f73b07a36956e92b99f360ac53558dca81faf692c602a534263711f0bc
                                                                                                                                                                                                                          • Instruction ID: de6bfaa05ecb115f578e8fc585d5f68e320d8d2356e8f85db87c3ceef3aaabd6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e1c54f73b07a36956e92b99f360ac53558dca81faf692c602a534263711f0bc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 13A1B0709442049FDB34CF28C880EDABFF1AF65714F14856EE849EB241E7B9D9468B92
                                                                                                                                                                                                                          Function 6049A250 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 99libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitOnceExecuteOnce.KERNEL32(605771C8,6049A0E0,?,00000000,00000000,6049A570,?,?,00000130), ref: 6049A279
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,?,00000130), ref: 6049A297
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(?,?,00000130), ref: 6049A2A5
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,00000130), ref: 6049A2AE
                                                                                                                                                                                                                          • TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,00000130), ref: 6049A2D1
                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(605771D4,?,?,00000130), ref: 6049A2E4
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(605771D4,?,?,00000130), ref: 6049A2F5
                                                                                                                                                                                                                          • LoadLibraryW.KERNEL32(bcryptprimitives,?,?,?,00000130), ref: 6049A348
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,ProcessPrng), ref: 6049A358
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorExclusiveLastLockOnceValue$AcquireAddressExecuteInitLibraryLoadProcRelease
                                                                                                                                                                                                                          • String ID: ProcessPrng$bcryptprimitives
                                                                                                                                                                                                                          • API String ID: 1967882921-1205050517
                                                                                                                                                                                                                          • Opcode ID: 9982944fb7a435d84e5dbb2ba303c5da7410ab67c8fa04fb85f90eab1de7b9a1
                                                                                                                                                                                                                          • Instruction ID: 82c668bcdb5cf36d655a26834a14e77681a050e055721b49baeee29e33ef5fb5
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9982944fb7a435d84e5dbb2ba303c5da7410ab67c8fa04fb85f90eab1de7b9a1
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66318174900219ABDB216FA5DC49EAA3F68FF67715F814034FC05A6351EB359D20CBE1
                                                                                                                                                                                                                          Function 604640F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(00000030,?,00000000,?,60464838,?,?,?,?,?,?,?,?,?,?), ref: 60464118
                                                                                                                                                                                                                          • SleepConditionVariableSRW.KERNEL32(00000034,00000030,00000000,00000000,?,60464838,?,?,?,?,?,?,?,?,?,?), ref: 60464137
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(00000030,?,60464838,?,?,?,?,?,?,?,?,?,?,?,604FC016), ref: 60464152
                                                                                                                                                                                                                          • GetLastError.KERNEL32(?,60464838,?,?,?,?,?,?,?,?,?,?,?,604FC016), ref: 60464176
                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(?,00000030,?,?,?,?,?,?,?,?,?,60464838,?), ref: 604641A7
                                                                                                                                                                                                                          • WakeConditionVariable.KERNEL32(?,?,00000030,?,?,?,?,?,?,?,?,?,60464838,?), ref: 604641BA
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,00000030,?,?,?,?,?,?,?,?,?,60464838,?), ref: 604641C1
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • SleepConditionVariableSRW failed: %lu, xrefs: 60464188
                                                                                                                                                                                                                          • win32_waiter.cc, xrefs: 6046418F
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$AcquireConditionReleaseVariable$ErrorLastSleepWake
                                                                                                                                                                                                                          • String ID: SleepConditionVariableSRW failed: %lu$win32_waiter.cc
                                                                                                                                                                                                                          • API String ID: 4254592985-2919041413
                                                                                                                                                                                                                          • Opcode ID: 59f287135781e49aa5a3f55aceca209acffea5d742c90f877764d8e5615bc5bc
                                                                                                                                                                                                                          • Instruction ID: 3ece8d62604239b55d284b61b6ba5ec0a2aacdabf3cb65e0a7df39f6a656a067
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 59f287135781e49aa5a3f55aceca209acffea5d742c90f877764d8e5615bc5bc
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CD21F771600704AFD724AF65CC48EDB7FA8EFA7364F40842DF45AD2241EB34A840CB91
                                                                                                                                                                                                                          Function 6048A050 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 131COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6047BAE7,CHROME_CRASHPAD_PIPE_NAME,00000019,?,?), ref: 6048A0BE
                                                                                                                                                                                                                          • SetEnvironmentVariableW.KERNEL32(?,00000000,?,?,?,..\..\third_party\libc++\src\include\string_view,0000013A,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type,?,?,?,6047BAE7,CHROME_CRASHPAD_PIPE_NAME,00000019,?), ref: 6048A173
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 6048A128
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6048A103
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6048A123
                                                                                                                                                                                                                          • __len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6048A119
                                                                                                                                                                                                                          • __len == 0 || __s != nullptr, xrefs: 6048A108
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6048A114
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnvironmentVariable
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
                                                                                                                                                                                                                          • API String ID: 1431749950-2671331263
                                                                                                                                                                                                                          • Opcode ID: 79e5b8813e73686ac06bc330ff17f01b07b658803072c7215a82688ddb6663f0
                                                                                                                                                                                                                          • Instruction ID: d8f62a4eaa287039b84c39434ec034dcbd11d7ef30ca282601305052753fda62
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 79e5b8813e73686ac06bc330ff17f01b07b658803072c7215a82688ddb6663f0
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1031F372D042286BEB259B90CC05FAF7F74AF26318F04842DF90537281D779AA6587D2
                                                                                                                                                                                                                          Function 605161F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CreateFileW.KERNEL32 ref: 60516269
                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 605162A5
                                                                                                                                                                                                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 605162EF
                                                                                                                                                                                                                          • CreateFileW.KERNEL32 ref: 605163E1
                                                                                                                                                                                                                          • __Init_thread_header.LIBCMT ref: 60516435
                                                                                                                                                                                                                            • Part of subcall function 604CCF67: EnterCriticalSection.KERNEL32(60566154,?,?,?,604FE691,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D), ref: 604CCF72
                                                                                                                                                                                                                            • Part of subcall function 604CCF67: LeaveCriticalSection.KERNEL32(60566154,?,604FE691,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?), ref: 604CCFAF
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: EnterCriticalSection.KERNEL32(60566154,?,?,604FE6B4,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?), ref: 604CCFE7
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: LeaveCriticalSection.KERNEL32(60566154,?,604FE6B4,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?), ref: 604CD01A
                                                                                                                                                                                                                            • Part of subcall function 604CCFDD: WakeAllConditionVariable.KERNEL32(?,60575234,?,604FE72A,?,?,6046B0B9,ios_base::clear,?,?,?,6049F89D,?,?,?,604B2085), ref: 604CD08D
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CriticalSection$File$CreateEnterLeave$ConditionCurrentDirectoryInit_thread_headerModuleNameVariableWake
                                                                                                                                                                                                                          • String ID: LoW`$debug.log
                                                                                                                                                                                                                          • API String ID: 1936484898-137816879
                                                                                                                                                                                                                          • Opcode ID: e28a8462a94f27960c5bc5f0991c21d7fde89dfef0e437356b2d65e99e9bd546
                                                                                                                                                                                                                          • Instruction ID: 0f7cf1ffb95224ee992bdea6e17a10b43e1f92a21596261e209e3bfd3a5a92fe
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e28a8462a94f27960c5bc5f0991c21d7fde89dfef0e437356b2d65e99e9bd546
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A45104709043108BEB20EF649C45B6E7FE0EFB6708F11499CE5656B295EB7468C48BD2
                                                                                                                                                                                                                          Function 604980E0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • LocalFree.KERNEL32(?), ref: 60498205
                                                                                                                                                                                                                          • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,60497E78,60492814,?,60492814,?), ref: 60498264
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • __location != nullptr, xrefs: 6049828A
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 60498291
                                                                                                                                                                                                                          • null pointer given to destroy_at, xrefs: 60498277
                                                                                                                                                                                                                          • __loc != nullptr, xrefs: 6049827C
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 60498296
                                                                                                                                                                                                                          • null pointer given to construct_at, xrefs: 60498285
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ErrorFreeLastLocal
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at
                                                                                                                                                                                                                          • API String ID: 3928016487-1414239786
                                                                                                                                                                                                                          • Opcode ID: a0fe2587ebd06d3ac70082572807164c9ce91051e8024f9a0f381e6857368a37
                                                                                                                                                                                                                          • Instruction ID: dfc276d790485d3ecca6a931b4850d03ed5dcc938920f4873ab3f8ccaea3d14c
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0fe2587ebd06d3ac70082572807164c9ce91051e8024f9a0f381e6857368a37
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD51C1B1D006149FDB14CFA9CC84EAEBFB5EFA9304F10417DE805A7350E77999418BA1
                                                                                                                                                                                                                          Function 604EC051 Relevance: 10.8, APIs: 7, Instructions: 329COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _strrchr
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 3213747228-0
                                                                                                                                                                                                                          • Opcode ID: 5e558e28cd5b0b8d24ebe8efc3243449e27dd7fc0835bb39817d3425118a5633
                                                                                                                                                                                                                          • Instruction ID: 665fbe1c66f5027a43ed64a65a14c071d2dd1a39a30c47c50c2ac0b2b70d88a6
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5e558e28cd5b0b8d24ebe8efc3243449e27dd7fc0835bb39817d3425118a5633
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0EB17972D043559FDB218FA5CC81FAEBFA5EF66345F104995E900AB381D3789903CBA1
                                                                                                                                                                                                                          Function 60524010 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 219COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6052424C
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 60524260
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6052425B
                                                                                                                                                                                                                          • __s != nullptr, xrefs: 60524251
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: _strlen
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
                                                                                                                                                                                                                          • API String ID: 4218353326-3330642834
                                                                                                                                                                                                                          • Opcode ID: c78e8d8ed1de74b3165c984d9c3eb73fa908159aee7630003775a44113bc2f32
                                                                                                                                                                                                                          • Instruction ID: d8365c6229fc274b0de01bdaff8568e4237041c2a472268b2e3c0c79df079405
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c78e8d8ed1de74b3165c984d9c3eb73fa908159aee7630003775a44113bc2f32
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C481A0B5D00229AFDB11CFA4E885A9EBFB1BF29314F044019E918BB341D734A995CFD1
                                                                                                                                                                                                                          Function 6048A1B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 115COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,?,?,00000000,?,60489F35,6047B022,00000000,00000000,?,6047B022,CHROME_CRASHPAD_PIPE_NAME,00000019), ref: 6048A1E3
                                                                                                                                                                                                                          • GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 6048A242
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6048A2BA
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 6048A2CE
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6048A2C9
                                                                                                                                                                                                                          • __s != nullptr, xrefs: 6048A2BF
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: EnvironmentVariable
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
                                                                                                                                                                                                                          • API String ID: 1431749950-3330642834
                                                                                                                                                                                                                          • Opcode ID: 2dba5185c5fcc8e47145a72eb09d7a373099a3e3aa7284e06d4cf5c9ded5bd58
                                                                                                                                                                                                                          • Instruction ID: ed1bbbbb55a059ae2b252adec59196c75d983c869e88ff0fd37dd0896eae7c67
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2dba5185c5fcc8e47145a72eb09d7a373099a3e3aa7284e06d4cf5c9ded5bd58
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D531F6B1D002146BEB329B64DC45FBF7B68DF76308F04446DFC06A6281EB79991982E2
                                                                                                                                                                                                                          Function 605201C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 60520010: TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,00000004), ref: 60520038
                                                                                                                                                                                                                            • Part of subcall function 60520010: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000004), ref: 60520063
                                                                                                                                                                                                                          • _strlen.LIBCMT ref: 605201F3
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • type, xrefs: 6052029F
                                                                                                                                                                                                                          • null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6052023F
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 60520253
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 6052024E
                                                                                                                                                                                                                          • __s != nullptr, xrefs: 60520244
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$AcquireRelease_strlen
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$type
                                                                                                                                                                                                                          • API String ID: 1083709183-563373429
                                                                                                                                                                                                                          • Opcode ID: 10a8190571fc898d00c1e23644beb0ed593edaf1fa82ace3c7cef9cdd6dd6faa
                                                                                                                                                                                                                          • Instruction ID: ab4a231a111645c424b72f2bb10b39608b891859cb3d2fb2b7de5f88e92cdc8b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10a8190571fc898d00c1e23644beb0ed593edaf1fa82ace3c7cef9cdd6dd6faa
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DF31D175A002196BCB149BA5EC4AEAFBF68EFA5718F400129F90977280EB706D14C7E1
                                                                                                                                                                                                                          Function 604C8040 Relevance: 9.2, APIs: 6, Instructions: 182COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C809A
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C80B1
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C80B8
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C80DE
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C8101
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,604C94F3,?,3D44E3B6,6049AEA5,?), ref: 604C8118
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 17069307-0
                                                                                                                                                                                                                          • Opcode ID: 8d97e24de4a1e3f4b3e7b5a8f0a91b625ff85bd7530650c71a0b389be3a3725b
                                                                                                                                                                                                                          • Instruction ID: e6e0ac337e9d99a8006bdcc2479298cee05724e843bb3efebccfc2717d98547a
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d97e24de4a1e3f4b3e7b5a8f0a91b625ff85bd7530650c71a0b389be3a3725b
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6051F739E001188FCB309F68C885AAEBBB2BFA6314F06451CE55577350CB78AD06CBD2
                                                                                                                                                                                                                          Function 604B82D0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 109COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • %s:%d: assertion %s failed: %s, xrefs: 604B83DE
                                                                                                                                                                                                                          • string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 604B83B9
                                                                                                                                                                                                                          • ..\..\third_party\libc++\src\include\string_view, xrefs: 604B83D9
                                                                                                                                                                                                                          • __len == 0 || __s != nullptr, xrefs: 604B83BE
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): received nullptr
                                                                                                                                                                                                                          • API String ID: 2962429428-1530698177
                                                                                                                                                                                                                          • Opcode ID: 09c4b8a9bce9849ad1c3990e9d933884e493b1023291550af20d5bb67dee2208
                                                                                                                                                                                                                          • Instruction ID: 5122385ebb3631e18e2df39c2a0d479ecc6039991b1e19fab210977320407386
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 09c4b8a9bce9849ad1c3990e9d933884e493b1023291550af20d5bb67dee2208
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87314B3560421B8BEB398F15C840EA67BE6EFB1B04F10541CED1657B00E3B5AC81C7B0
                                                                                                                                                                                                                          Function 6049A100 Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • InitOnceExecuteOnce.KERNEL32(605771C8,Function_0004A0E0,?,00000000), ref: 6049A146
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32 ref: 6049A163
                                                                                                                                                                                                                          • AcquireSRWLockExclusive.KERNEL32(605771D4), ref: 6049A175
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(605771D4), ref: 6049A1A5
                                                                                                                                                                                                                            • Part of subcall function 604E08C6: IsProcessorFeaturePresent.KERNEL32(00000017,604D226B), ref: 604E08E2
                                                                                                                                                                                                                          • TlsAlloc.KERNEL32 ref: 6049A233
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLockOnce$AcquireAllocExecuteFeatureInitPresentProcessorReleaseValue
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 2915141342-0
                                                                                                                                                                                                                          • Opcode ID: 40bdfe81c77b0b7cf81f34a1b80ee58675dd89495d712be05efea8b964ff0b95
                                                                                                                                                                                                                          • Instruction ID: d194a1103b1f66837f60803310473e1ded6e5fe12bcc7dad7f6c86cceb3d207b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40bdfe81c77b0b7cf81f34a1b80ee58675dd89495d712be05efea8b964ff0b95
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43319075A002188FDF14AFA4DC89A6E7FB4FF66210B42403DEC16A3350DB39A955DBA1
                                                                                                                                                                                                                          Function 604C40D0 Relevance: 6.1, APIs: 4, Instructions: 149COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TlsGetValue.KERNEL32(FFFFFFFF,6049A230,?,?), ref: 604C40F9
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 604C4209
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 604C4231
                                                                                                                                                                                                                          • __Init_thread_header.LIBCMT ref: 604C42C6
                                                                                                                                                                                                                            • Part of subcall function 6049D4A0: TlsSetValue.KERNEL32(FFFFFFFF,604C413B,?,604C413B,FFFFFFFF,?), ref: 6049D4A9
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLockValue$AcquireInit_thread_headerRelease
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 4057198150-0
                                                                                                                                                                                                                          • Opcode ID: c368f0196f5cc9b127dc29c1c659e4bccc84c85437c02d93ee761ec4b2df4954
                                                                                                                                                                                                                          • Instruction ID: 044f3878cf09963dc9528f7df4b804621acfbec299ee56f87f58d74b7289b2cb
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c368f0196f5cc9b127dc29c1c659e4bccc84c85437c02d93ee761ec4b2df4954
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F4515A79A002044BEB309F54EC4AFA93B65BFB5348F144578E95953381DB785E84CBD3
                                                                                                                                                                                                                          Function 60514150 Relevance: 6.1, APIs: 4, Instructions: 146COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 60514180
                                                                                                                                                                                                                            • Part of subcall function 604B38D0: AcquireSRWLockExclusive.KERNEL32(?,?,6047D907,?,?,?,?,?,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type), ref: 604B38D4
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 605141FD
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?), ref: 60514266
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?), ref: 605142ED
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$Acquire$Release
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 1678258262-0
                                                                                                                                                                                                                          • Opcode ID: cdfbf339997ee956591f1198a00376d601ad17d99d54f37e56c4d73f92181880
                                                                                                                                                                                                                          • Instruction ID: cffa1869f83eef6802552513f20645083ea3250ee5bafe014513240e5f026206
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cdfbf339997ee956591f1198a00376d601ad17d99d54f37e56c4d73f92181880
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 425170B4A043058FEB24DF64D894A6BBBF5FFA9308B00056CE41697751DB34ED89CBA1
                                                                                                                                                                                                                          Function 604AE010 Relevance: 6.1, APIs: 4, Instructions: 86COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • QueryPerformanceCounter.KERNEL32(00000000), ref: 604AE03F
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 604AE07C
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 604AE0B2
                                                                                                                                                                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 604AE116
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery
                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                          • API String ID: 374826692-0
                                                                                                                                                                                                                          • Opcode ID: c2e3a514ed9b96e1e1d5912345947c7183ff73ad3909af30d3cfa3c72c0b8f0a
                                                                                                                                                                                                                          • Instruction ID: 6324c14cb5daf184d3b43d44f766cb7c28233c986089122c3233bb3bbfe88459
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2e3a514ed9b96e1e1d5912345947c7183ff73ad3909af30d3cfa3c72c0b8f0a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B314CB1608305AFC708DF58D88592BFFE9EBD9314F01882EF588C7361E774A8449B92
                                                                                                                                                                                                                          Function 6048C240 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 39COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6048C257
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • Free, xrefs: 6048C27C
                                                                                                                                                                                                                          • ..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc, xrefs: 6048C277
                                                                                                                                                                                                                          • CloseHandle, xrefs: 6048C299
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CloseHandle
                                                                                                                                                                                                                          • String ID: ..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc$CloseHandle$Free
                                                                                                                                                                                                                          • API String ID: 2962429428-1704384866
                                                                                                                                                                                                                          • Opcode ID: 672efac74225cf8741ca7f9016fb348bc35fb2eba10f0273eecbe38a18b1387a
                                                                                                                                                                                                                          • Instruction ID: 4412006ab578923c4b5b721b3b9f3da417d1aaeaf5d06ef1b0a08617e205dcec
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 672efac74225cf8741ca7f9016fb348bc35fb2eba10f0273eecbe38a18b1387a
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5F09C71E40118679F186799DC0ACAE7F69DFF7648B40045DF80A7B242EB34595487E2
                                                                                                                                                                                                                          Function 60482190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,6051440E,00000001,?,?,?,?,?,605142EA), ref: 604821F9
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,6051440E,00000001,?,?,?,?,?,605142EA), ref: 6048222F
                                                                                                                                                                                                                            • Part of subcall function 604B38D0: AcquireSRWLockExclusive.KERNEL32(?,?,6047D907,?,?,?,?,?,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type), ref: 604B38D4
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$Acquire$Release
                                                                                                                                                                                                                          • String ID: l[S`
                                                                                                                                                                                                                          • API String ID: 1678258262-3967367481
                                                                                                                                                                                                                          • Opcode ID: c446093e56ff0f5e5ba84502cb972d5d8932cba63717b8a2ddd29f26882767ff
                                                                                                                                                                                                                          • Instruction ID: 1b7a31dd68a524cce864eac3e3d9da490bc8edd9d31020c1b846dafba01397b3
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c446093e56ff0f5e5ba84502cb972d5d8932cba63717b8a2ddd29f26882767ff
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E41A5B5A006058BDB24DF68D985E6FBBB6BFA5308B10495CE40697340DB39FC05CBD1
                                                                                                                                                                                                                          Function 604E8218 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 604E848F
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ___except_validate_context_record
                                                                                                                                                                                                                          • String ID: csm$csm
                                                                                                                                                                                                                          • API String ID: 3493665558-3733052814
                                                                                                                                                                                                                          • Opcode ID: 71a9d4900b7a57cc4740d45f1c3d9d86f0de6e4ff6241c176000c67ce5250164
                                                                                                                                                                                                                          • Instruction ID: df00eb0d16894516a0d402d0ad66f8ad576ad3d97e11296379e9971755e41136
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71a9d4900b7a57cc4740d45f1c3d9d86f0de6e4ff6241c176000c67ce5250164
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A931E372400209BFCF328F52C800DAA7F66FB1535AB18456EF85849260E7BACC61DB91
                                                                                                                                                                                                                          Function 604A0060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • TryAcquireSRWLockExclusive.KERNEL32(00000000,00000002,FFE00000,?,604A1D50,00000002,FFE00000,?,?), ref: 604A0070
                                                                                                                                                                                                                          • ReleaseSRWLockExclusive.KERNEL32(00000000,?,604A1D50,00000002,FFE00000,?,?), ref: 604A00B5
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • bitset reset argument out of range, xrefs: 604A0100
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: ExclusiveLock$AcquireRelease
                                                                                                                                                                                                                          • String ID: bitset reset argument out of range
                                                                                                                                                                                                                          • API String ID: 17069307-1934458321
                                                                                                                                                                                                                          • Opcode ID: 386872758e0c536f2ac6641c2b640dcbaf98708cc2119f30ddb5e35f895f87f3
                                                                                                                                                                                                                          • Instruction ID: 0e0cb0689fb680ea1b876d9e81417856257b7d12fa6a39ad7eb47722b5d5ea7b
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 386872758e0c536f2ac6641c2b640dcbaf98708cc2119f30ddb5e35f895f87f3
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9101263221851857CB389A28AC05FBD3A16EBF3364B624218E513D36E8E779CD42C6C2
                                                                                                                                                                                                                          Function 604F015E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000105,?,?,?,1N`), ref: 604F0197
                                                                                                                                                                                                                          • GetCurrentDirectoryW.KERNEL32(00000001,00000000,60476EBC,?,?,?,1N`), ref: 604F01CA
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: CurrentDirectory
                                                                                                                                                                                                                          • String ID: 1N`
                                                                                                                                                                                                                          • API String ID: 1611563598-767462658
                                                                                                                                                                                                                          • Opcode ID: 7a7bac2cd9e53195339a916fe81af58f6d7d6776d5e447bcc79aca3f127ad620
                                                                                                                                                                                                                          • Instruction ID: 16f1643740a8eb5cb9ef19e8f3786478118cbdbe5ac0d9edd3b84d29e8c85a5d
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a7bac2cd9e53195339a916fe81af58f6d7d6776d5e447bcc79aca3f127ad620
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 170148725002086BE330AB65AC8AE9E7BACDBF2318F11005DF401D7180EF789D4586A4
                                                                                                                                                                                                                          Function 60490030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56fileCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                            • Part of subcall function 6048FF20: SetFilePointerEx.KERNEL32 ref: 6048FF96
                                                                                                                                                                                                                          • SetEndOfFile.KERNEL32(604869DD), ref: 6049005B
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          • ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 604900A4
                                                                                                                                                                                                                          • SetEndOfFile, xrefs: 604900B6
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: File$Pointer
                                                                                                                                                                                                                          • String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetEndOfFile
                                                                                                                                                                                                                          • API String ID: 1339342385-359779137
                                                                                                                                                                                                                          • Opcode ID: 2416c2377fc9d81cb26b2b23f6a8f5b52837a13dc653b68a3ef079b9d5b3e0eb
                                                                                                                                                                                                                          • Instruction ID: 440a241fbad3f64132cc106ee85d7907636457b8b272f0a7fac43c500197c9b7
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2416c2377fc9d81cb26b2b23f6a8f5b52837a13dc653b68a3ef079b9d5b3e0eb
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B201B161A442186EFA206A64AC56FAE7F6DDF7224CF014075FD0867281EB295E0986A2
                                                                                                                                                                                                                          Function 604B8270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON
                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                          • GetModuleHandleW.KERNEL32(00000000,?,604AFA8E,?,?,00000001,?,60484216,?,?,?,?,60484052,00000001,00000000), ref: 604B8284
                                                                                                                                                                                                                          • GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 604B8290
                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                          • Source File: 0000000E.00000002.3490883533.0000000060451000.00000020.00000001.01000000.00000016.sdmp, Offset: 60450000, based on PE: true
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3490853439.0000000060450000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491756212.0000000060529000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491908614.000000006054A000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006054C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.000000006055C000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3491959000.0000000060564000.00000008.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492083196.0000000060566000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492122559.0000000060572000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492191897.0000000060575000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492229716.000000006057D000.00000020.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          • Associated: 0000000E.00000002.3492267357.000000006057E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                          • Snapshot File: hcaresult_14_2_60450000_GamePall.jbxd
                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                          • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                          • String ID: GetHandleVerifier
                                                                                                                                                                                                                          • API String ID: 1646373207-1090674830
                                                                                                                                                                                                                          • Opcode ID: 448976192efb63f02c3d1f76e5c2661c2359f41ba7b370207a6edf2707e541f6
                                                                                                                                                                                                                          • Instruction ID: 030dbea7f08889571def9f61bf6f0cbbc5e7b3bf4f1b82e4fa1dd7120957abf8
                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 448976192efb63f02c3d1f76e5c2661c2359f41ba7b370207a6edf2707e541f6
                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E5E06530694715A7DE2867759C4EF553E5AA733701F100868B905E91F0EBF89C81D572