Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1467124
MD5:43374e1be56c3c5dd78a770c46c48a31
SHA1:bd7d391c1d62384558482de36c298855539daa7b
SHA256:e33636849f3662796f4ce6584c06729eb6e1df305c700a8a12890c831488c533
Tags:exe
Infos:

Detection

LummaC, Poverty Stealer, SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected LummaC Stealer
Yara detected Poverty Stealer
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found evasive API chain (may stop execution after checking mutex)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides that the sample has been downloaded from the Internet (zone.identifier)
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6688 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 43374E1BE56C3C5DD78A770C46C48A31)
    • explorer.exe (PID: 1028 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • 263.exe (PID: 6948 cmdline: C:\Users\user\AppData\Local\Temp\263.exe MD5: BD2EAC64CBDED877608468D86786594A)
      • 3D69.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\3D69.exe MD5: 60172CA946DE57C3529E9F05CC502870)
        • setup.exe (PID: 4500 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: FF2293FBFF53F4BD2BFF91780FABFD60)
          • GamePall.exe (PID: 5640 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 6008 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 4720 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6084 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 5584 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3884 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 4040 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 2508 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 4824 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 4672 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 3588 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
                • GamePall.exe (PID: 5476 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 3504 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6648 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5848 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 5800 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6652 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
              • GamePall.exe (PID: 6268 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 1600 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 1480 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 4712 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 3480 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5896 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 5596 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
            • GamePall.exe (PID: 1516 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
      • 698B.exe (PID: 3144 cmdline: C:\Users\user\AppData\Local\Temp\698B.exe MD5: DA4B6F39FC024D2383D4BFE7F67F1EE1)
      • GamePall.exe (PID: 5016 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 904 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
        • GamePall.exe (PID: 5380 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 7A3502C1119795D35569535DE243B6FE)
  • tvgrbbh (PID: 1576 cmdline: C:\Users\user\AppData\Roaming\tvgrbbh MD5: 43374E1BE56C3C5DD78A770C46C48A31)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: LummaC

{"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}

Threatname: Poverty Stealer

{"C2 url": "146.70.169.164:2227"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
    • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
    00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
      00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
      • 0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
      00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 38 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        9.2.698B.exe.c68c00.2.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
          9.2.698B.exe.3440000.3.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
            9.2.698B.exe.c60540.1.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
              9.2.698B.exe.c60540.1.raw.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                9.2.698B.exe.3440000.3.unpackJoeSecurity_PovertyStealerYara detected Poverty StealerJoe Security
                  Click to see the 1 entries

                  Sigma Signatures

                  System Summary

                  barindex
                  Sigma detected: CurrentVersion Autorun Keys Modification
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 4500, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall
                  Sigma detected: Execution of Suspicious File Type Extension
                  Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\tvgrbbh, CommandLine: C:\Users\user\AppData\Roaming\tvgrbbh, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\tvgrbbh, NewProcessName: C:\Users\user\AppData\Roaming\tvgrbbh, OriginalFileName: C:\Users\user\AppData\Roaming\tvgrbbh, ParentCommandLine: , ParentImage: , ParentProcessId: 1068, ProcessCommandLine: C:\Users\user\AppData\Roaming\tvgrbbh, ProcessId: 1576, ProcessName: tvgrbbh

                  Snort Signatures

                  No Snort rule has matched

                  Joe Sandbox Signatures

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Antivirus detection for URL or domain
                  Source: https://foodypannyjsud.shop/api.Avira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/oAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/tAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/sAvira URL Cloud: Label: malware
                  Source: http://gebeus.ru/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/jAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/api(Avira URL Cloud: Label: malware
                  Source: http://cx5519.com/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/e5Avira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/laAvira URL Cloud: Label: malware
                  Source: contintnetksows.shopAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/CAvira URL Cloud: Label: malware
                  Source: http://evilos.cc/tmp/index.phpAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/6CAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apilAvira URL Cloud: Label: malware
                  Source: ellaboratepwsz.xyzAvira URL Cloud: Label: malware
                  Source: swellfrrgwwos.xyzAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apiKAvira URL Cloud: Label: malware
                  Source: foodypannyjsud.shopAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/pi7Avira URL Cloud: Label: malware
                  Source: pedestriankodwu.xyzAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/esAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/feAvira URL Cloud: Label: malware
                  Source: towerxxuytwi.xyzAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/apiAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/oxAvira URL Cloud: Label: malware
                  Source: https://foodypannyjsud.shop/piAvira URL Cloud: Label: malware
                  Source: http://office-techs.biz/tmp/index.phpAvira URL Cloud: Label: malware
                  Antivirus detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeAvira: detection malicious, Label: HEUR/AGEN.1352426
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAvira: detection malicious, Label: HEUR/AGEN.1313486
                  Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datAvira: detection malicious, Label: HEUR/AGEN.1359405
                  Found malware configuration
                  Source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://evilos.cc/tmp/index.php", "http://gebeus.ru/tmp/index.php", "http://office-techs.biz/tmp/index.php", "http://cx5519.com/tmp/index.php"]}
                  Source: 9.2.698B.exe.3440000.3.raw.unpackMalware Configuration Extractor: Poverty Stealer {"C2 url": "146.70.169.164:2227"}
                  Source: 5.2.263.exe.d80000.0.unpackMalware Configuration Extractor: LummaC {"C2 url": ["pedestriankodwu.xyz", "towerxxuytwi.xyz", "ellaboratepwsz.xyz", "penetratedpoopp.xyz", "swellfrrgwwos.xyz", "contintnetksows.shop", "foodypannyjsud.shop", "potterryisiw.shop", "foodypannyjsud.shop"], "Build id": "bOKHNM--"}
                  Multi AV Scanner detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\263.exeReversingLabs: Detection: 67%
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeReversingLabs: Detection: 20%
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeReversingLabs: Detection: 42%
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhReversingLabs: Detection: 36%
                  Multi AV Scanner detection for submitted file
                  Source: file.exeReversingLabs: Detection: 36%
                  AI detected suspicious sample
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 93.7% probability
                  Machine Learning detection for dropped file
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GamePall\Del.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Local\Temp\263.exeJoe Sandbox ML: detected
                  Machine Learning detection for sample
                  Source: file.exeJoe Sandbox ML: detected
                  Sample uses string decryption to hide its real strings
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: pedestriankodwu.xyz
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: towerxxuytwi.xyz
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: ellaboratepwsz.xyz
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: penetratedpoopp.xyz
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: swellfrrgwwos.xyz
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: contintnetksows.shop
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: foodypannyjsud.shop
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: potterryisiw.shop
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: foodypannyjsud.shop
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: TeslaBrowser/5.5
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: - Screen Resoluton:
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: - Physical Installed Memory:
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: Workgroup: -
                  Source: 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString decryptor: bOKHNM--
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03441C94 CryptUnprotectData,CryptProtectData,9_2_03441C94

                  Compliance

                  barindex
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeUnpacked PE file: 9.2.698B.exe.3440000.3.unpack
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Ionic.Zip.dll.10.dr
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Ionic.Zip.dll.10.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 698B.exe, 00000009.00000002.3506421364.000000000A670000.00000004.00000020.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3506421364.000000000A681000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: Del.exe.10.dr
                  Source: Binary string: ntkrnlmp.pdbx source: 698B.exe, 00000009.00000002.3506421364.000000000A670000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb source: 698B.exe, 00000009.00000002.3506421364.000000000A67F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000B.00000000.3662648687.0000000000322000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.3767071971.00000000602C9000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000D.00000002.3744533801.0000000005962000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000D.00000002.3744533801.0000000005962000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.3767071971.00000000602C9000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 698B.exe, 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe, 00000009.00000000.2583433810.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe.2.dr
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3949107251.00000000004CA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3949107251.00000000004CA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 698B.exe, 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe, 00000009.00000000.2583433810.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe.2.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\**Z source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1478
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_006924BD FindFirstFileExW,9_2_006924BD
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03441000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03441000
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03444E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03444E27
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03441D3C FindFirstFileW,FindNextFileW,9_2_03441D3C
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_034440BA FindFirstFileW,FindNextFileW,9_2_034440BA
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03443EFC FindFirstFileW,FindNextFileW,9_2_03443EFC
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior

                  Networking

                  barindex
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 137.74.196.132 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 77.221.157.163 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 179.53.197.185 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 189.165.129.60 80Jump to behavior
                  C2 URLs / IPs found in malware configuration
                  Source: Malware configuration extractorURLs: pedestriankodwu.xyz
                  Source: Malware configuration extractorURLs: towerxxuytwi.xyz
                  Source: Malware configuration extractorURLs: ellaboratepwsz.xyz
                  Source: Malware configuration extractorURLs: penetratedpoopp.xyz
                  Source: Malware configuration extractorURLs: swellfrrgwwos.xyz
                  Source: Malware configuration extractorURLs: contintnetksows.shop
                  Source: Malware configuration extractorURLs: foodypannyjsud.shop
                  Source: Malware configuration extractorURLs: potterryisiw.shop
                  Source: Malware configuration extractorURLs: foodypannyjsud.shop
                  Source: Malware configuration extractorURLs: http://evilos.cc/tmp/index.php
                  Source: Malware configuration extractorURLs: http://gebeus.ru/tmp/index.php
                  Source: Malware configuration extractorURLs: http://office-techs.biz/tmp/index.php
                  Source: Malware configuration extractorURLs: http://cx5519.com/tmp/index.php
                  Source: Malware configuration extractorURLs: 146.70.169.164:2227
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 104.192.141.1 104.192.141.1
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                  Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                  Source: Joe Sandbox ViewASN Name: INFOBOX-ASInfoboxruAutonomousSystemRU INFOBOX-ASInfoboxruAutonomousSystemRU
                  Source: Joe Sandbox ViewASN Name: CompaniaDominicanadeTelefonosSADO CompaniaDominicanadeTelefonosSADO
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00625B80 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,FreeLibrary,InternetOpenA,FreeLibrary,_strlen,InternetOpenUrlA,FreeLibrary,task,InternetReadFile,FreeLibrary,task,9_2_00625B80
                  Source: GamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/activity
                  Source: GamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.install-stat.debug.world/clients/installs
                  Source: GamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bageyou.xyz
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2061150858.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                  Source: explorer.exe, 00000002.00000000.2055214530.0000000000F13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.v
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2061150858.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2061150858.0000000009B0B000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                  Source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
                  Source: 3D69.exe, 3D69.exe, 00000008.00000000.2523620989.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 3D69.exe, 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3335097850.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000003.3665927834.0000000000529000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, 3D69.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
                  Source: 3D69.exe, 00000008.00000000.2523620989.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 3D69.exe, 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3335097850.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000003.3665927834.0000000000529000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, 3D69.exe.2.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009AF9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2061150858.0000000009B0B000.00000004.00000001.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                  Source: explorer.exe, 00000002.00000000.2061150858.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                  Source: explorer.exe, 00000002.00000000.2059574274.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2058038399.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2059413579.0000000008870000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                  Source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/).
                  Source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/
                  Source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                  Source: explorer.exe, 00000002.00000000.2066235693.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2066235693.000000000C861000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                  Source: Ionic.Zip.dll.10.drString found in binary or memory: http://www.codeplex.com/DotNetZip
                  Source: GamePall.exe, 0000000D.00000002.3744870813.00000000065C7000.00000002.00000001.00040000.0000001A.sdmpString found in binary or memory: http://www.unicode.org/copyright.html
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                  Source: 263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                  Source: 3D69.exe, 00000008.00000003.2527029591.0000000003070000.00000004.00001000.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4026210162.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4025984955.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3974152956.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4025525314.0000000000718000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3958727335.000000000077C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat
                  Source: 3D69.exe, 00000008.00000002.4025525314.0000000000718000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.dat247
                  Source: 3D69.exe, 00000008.00000002.4025984955.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3974152956.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3958727335.000000000077C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datb
                  Source: 3D69.exe, 00000008.00000002.4025984955.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3974152956.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3958727335.000000000077C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datl
                  Source: 3D69.exe, 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpString found in binary or memory: http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                  Source: explorer.exe, 00000002.00000000.2065596255.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
                  Source: explorer.exe, 00000002.00000000.2057409400.00000000076F8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009ADB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                  Source: explorer.exe, 00000002.00000000.2057409400.0000000007637000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                  Source: explorer.exe, 00000002.00000000.2056352447.00000000035FA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.coml
                  Source: 698B.exe, 00000009.00000002.3454319928.0000000000BED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/
                  Source: 698B.exe, 00000009.00000002.3454319928.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3454319928.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chrome.google.com/webstore/category/extensions
                  Source: GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, en-US.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, en-US.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
                  Source: et.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: et.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
                  Source: lt.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: lt.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=ltCtrl$1
                  Source: mr.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: mr.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=mrCtrl$1
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://chrome.google.com/webstore?hl=urCtrl$2
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=viCtrl$1
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-CNCtrl$1
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=zh-TWCtrl$1
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                  Source: 263.exe, 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442571497.0000000000C22000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2453291170.0000000000C22000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2453693176.0000000000C23000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/
                  Source: 263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/6C
                  Source: 263.exe, 00000005.00000002.2536376520.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535540317.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/C
                  Source: 263.exe, 00000005.00000003.2442571497.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2472656065.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api
                  Source: 263.exe, 00000005.00000003.2429952734.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api(
                  Source: 263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/api.
                  Source: 263.exe, 00000005.00000003.2483276485.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2497350743.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apiK
                  Source: 263.exe, 00000005.00000003.2468180079.0000000000C47000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/apil
                  Source: 263.exe, 00000005.00000003.2468406053.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2469202741.0000000000CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/bm
                  Source: 263.exe, 00000005.00000003.2430831073.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2429952734.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442571497.0000000000C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/e5
                  Source: 263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/es
                  Source: 263.exe, 00000005.00000003.2468406053.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/fe
                  Source: 263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/j
                  Source: 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/la
                  Source: 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/o
                  Source: 263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442768561.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/ox
                  Source: 263.exe, 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi
                  Source: 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/pi7
                  Source: 263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536376520.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535540317.0000000000C28000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/s
                  Source: 263.exe, 00000005.00000003.2429952734.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2430831073.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://foodypannyjsud.shop/t
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://myactivity.google.com/
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.dr, lt.pak.10.drString found in binary or memory: https://passwords.google.com
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, en-US.pak.10.drString found in binary or memory: https://passwords.google.comGoogle
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comT
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://policies.google.com/
                  Source: explorer.exe, 00000002.00000000.2065596255.000000000C460000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comcember
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, lt.pak.10.drString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://support.google.com/chrome/answer/6098869
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drString found in binary or memory: https://support.google.com/chromebook?p=app_intent
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                  Source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 0000000D.00000002.3743755777.0000000005536000.00000002.00000001.01000000.00000011.sdmpString found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
                  Source: explorer.exe, 00000002.00000000.2061150858.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/)s
                  Source: explorer.exe, 00000002.00000000.2061150858.00000000099C0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.comon
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                  Source: 263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mr.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
                  Source: et.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
                  Source: GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, en-US.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
                  Source: lt.pak.10.drString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlT&r
                  Source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlYar&d
                  Source: 263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                  Source: 263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004055E7 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,8_2_004055E7
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03444BA2 GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetDC,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateDIBSection,SelectObject,BitBlt,DeleteObject,DeleteDC,ReleaseDC,9_2_03444BA2
                  Source: GamePall.exeProcess created: 54

                  System Summary

                  barindex
                  Malicious sample detected (through community Yara rule)
                  Source: 00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
                  Source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000004.00000002.2309055682.0000000002E6E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
                  Source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                  Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401538
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,0_2_00402FE9
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004014DE
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401496
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401543
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401565
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401579
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_0040157C
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401538 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401538
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00402FE9 RtlCreateUserThread,NtTerminateProcess,4_2_00402FE9
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_004014DE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_004014DE
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401496 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401496
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401543 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401543
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401565 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401565
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401579 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_00401579
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_0040157C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,4_2_0040157C
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_00406A888_2_00406A88
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_006814909_2_00681490
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_0068D5159_2_0068D515
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_006947759_2_00694775
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_0068BE099_2_0068BE09
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                  Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\263.exe CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: String function: 00680310 appears 51 times
                  Source: file.exe, 00000000.00000002.2073627412.0000000002BEB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamesAtlassing2 vs file.exe
                  Source: file.exeBinary or memory string: OriginalFilenamesAtlassing2 vs file.exe
                  Source: file.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: 00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
                  Source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000004.00000002.2309055682.0000000002E6E000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
                  Source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: tvgrbbh.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformBlock'
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock'
                  Source: Ionic.Zip.dll.10.dr, WinZipAesCipherStream.csCryptographic APIs: 'TransformFinalBlock', 'TransformBlock'
                  Source: GamePall.exe.10.dr, Program.csBase64 encoded string: 'pizR9uKkcZIkMW+F1cRjYV0LMt6eYXmLuiNCndESDPkTO3eY1Mjv7Hs2Qvo+t26G', 'ZTDMzZVpdA1FSa2RiY6ZCl2QGyLDtQ3OBRa/N40wO2xxcvcDsATtLRGwKtaEB36dqPJnDF8qXNs92JbMBlsOyg==', 'nYQvMVlU2Asj2rNkmi7xBNqGCkGzSnaP0raCPfB8A9hSwWFTIjPcsKgDrCVAEwSQ1lHf/WOhnKR59a5JjrkJVUOFvV43wO8MM1FKgjYuj7ZzvvuGve+okViUQx+oGN+llGnjS4Fm9o1MUn7p+qcPVIDZRcvMal1ARjQNk+bFvT5vC4J8slkhLZYtvBYmOybvSK90G7/f/U8GPBdM7WBmfFdHzzGxw6WFcHlkdySP8Nvmzff08RdOn8QOu8FlABEqqEjQ0W84v+/lU0lmhvzugpodd8fIp2kb2/twZPg9/Jsy5viOC65K8bs1ES63SA2d62f5cJYpFf1f0WBQbCBcSzfwiDlBCWVIW9vFXW1awyEMdm3q36+BViyETC5tnyHuoLRgf3bXoQAwqE0OIII5DROfW+LmqqHY82rVXHAqhVjdA2wZRWcSI1zxV7+qTfhmp9qbIQAWSuuXTzhbIvI3gjvtPCdz9uBv8rjyg1XZNxfdgYdtF+klyGgKdefnu5G2pgjfT3Kb/VbjgkFvLlqtWNr5K7iC080FVeHsZazMHUrrDtsmNdChtvnX8Zj77rIGVxi9RfvHhhIhBj+WSos+lJ2nuvQkUpqVEa1mrZSwPezG/uoh0qvs+BAHbNFNjv99WS6tgWIkvcQVCi2h3cfxTGQiZDetQZqB+N/mnvgC6WdrcRKGHBE4mp6bpgTY9+nt3lPiH6OZnlxC8rdHbuGtY6R/FgNFYkw49JWXYeZ1VV3KnjSrFMvDlkyMCAW1X9/1VoC+f73WVYMLwXafDKtGO2lfr9vwKms+8HoEgs7bj0aroIPdmLK/z/djAsFZO8Vp', 'T7BWwqrn4yISEECEAnARpwE8R+3lDHSc+RlcJT90an1SNsS27lGBQjOx4RmDHlrj7oJnnzx1IWXOkbTfLzBeCfU6UJhOIoQKhcWidAxAKIxvqZnoB6AujIU0F7dEj65vahyTdEvkIxzFaV2+akbl53KcDi5RPBOP16iXVi0WJdHV5AbSCI9WCEcSX/fUpmukBh4bjVF/T/P/B6TFVtNZintCOSO2Ha+2va2CJMOnJ020zYskwuvcH9d1rGD3Zf9RBC2obzrhRNK2LXTEIYnifs6L2UdqFhw5aANXILziQtzKvsTQKvc15hvHCCoeXJCyyK7/WgA/oRu7bdrTs2DwCQ==', 'ZY0WCEgzqiLEU8ZUVJwGTpbkuL9KoMwYVloBqJXjur8rfBZEXTysQNKRQ1H7/vn7o0wyHAux60SVy06r4v6So5WWxddei09LXvL6ZwK/tyY=', 's7iS2XfzyI+IBoARaZQlTINg1kEy7qT7EopaSHQzpqktZBtc7UiOYrPdv/6f4cNI', 'o2ZleBui4P9C2ZjnB98Vuesy1C+WucHiXjQJ8RANoX6TheGfnLYAWDsXRfSeNCDHWdkBP2RBrkWPBy/nuM2NFLMETMUsPFeG3JHWafvGKzaNEjYO3Up9m61SnaY5tINvLCYJ/TKITszJ9H1YSm2chnmQGLUzbz4pwvWvvKfH8m7z585W73/QZrtw3l/30vcZaVocgwemYusDJYsOTgeWc0okiDahD7qtJcBYZ0aOzxZZmHDMBYigkRVf8GTJ/xucA/i7EHBFpaWoLVZVcuGFMA==', 'T7BWwqrn4yISEECEAnARp+JyVgG3cZc2/9+3VbyOjc4PuRSCU7ZfXuXpIIH8uj2roUU+W7nSmXHqTuxLhe6DBfNVh8PFZrhNX/YhIexDxrk=', 'G4TxOgdwfNBdU+6bscw2hqt3kZYZMfoEuKZtmCxRLrF8xJCK1+L0ocd8eSQjty7d', 'PcG64iM3U1vDIVDm7HuwTSvKhuz45f/WPqYoWZvzLHcapbEfkynZkUjmDgg30eof', 'XGcq7Js3+2f2oGHGFzxJPiYsrodwK+bTw/0lKjiUd0tSWMHEjdVqzAclD1/nPksq3sGhVTN8oFeHMRE7wAt3mCLVCEXKF9JLnNeWw9vvCbs=', 'T7BWwqrn4yISEECEAnARp8UQ6kvfa8mDiwe39obQZ+Rxfj5bbo//kf+4mlTsZUEg0QM/4QBKb6sUDMsk9OTdYg==', 'T7BWwqrn4yISEECEAnARp/U1NCwfjpQ4K5UKuMbDqXSrjfU6Tf/pOCpHlHXtYnU5', 'Gg/rFkGmnFrfPAny9sQ3qerPGxlC7+cuu92x2tgXrCRkqABwTbbIR8+hJN0krbBD9OJX8s2JqeR+xICuD2u17N7KjlWCZwpg4+c7mG1xAahALfXXbu/EvJy+KsAzQlzR9bu8P4wbyuM6r6/7kdf+VQ==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLT3pudJg4gGhcEax3IHwBI0R5vZR7J9mjUQ8R9MdKz/Fw==', 'Zh3o1d4Zr0FJ548CrzCJDMeQhe52nu1Hz4hkTFOalLTcCwJrbTmNGWmZutw1Di2FSZ+3JxFtC00BiemuQuq2+A=='
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@283/115@0/10
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_00404897 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,8_2_00404897
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02DA5552 CreateToolhelp32Snapshot,Module32First,0_2_02DA5552
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_00402173 CoCreateInstance,MultiByteToWideChar,8_2_00402173
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tvgrbbhJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: NULL
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeMutant created: \Sessions\1\BaseNamedObjects\1e7f31ac-1494-47cc-9633-054c20e7432e
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\263.tmpJump to behavior
                  Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeFile read: C:\Windows\System32\drivers\etc\hosts
                  Source: 263.exe, 00000005.00000003.2443032910.0000000003F52000.00000004.00000800.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2430575499.0000000003F64000.00000004.00000800.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2431218943.0000000003F45000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                  Source: file.exeReversingLabs: Detection: 36%
                  Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\tvgrbbh C:\Users\user\AppData\Roaming\tvgrbbh
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\263.exe C:\Users\user\AppData\Local\Temp\263.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3D69.exe C:\Users\user\AppData\Local\Temp\3D69.exe
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\698B.exe C:\Users\user\AppData\Local\Temp\698B.exe
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\263.exe C:\Users\user\AppData\Local\Temp\263.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\3D69.exe C:\Users\user\AppData\Local\Temp\3D69.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Local\Temp\698B.exe C:\Users\user\AppData\Local\Temp\698B.exeJump to behavior
                  Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" Jump to behavior
                  Source: C:\Windows\explorer.exeProcess created: unknown unknownJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess created: C:\Users\user\AppData\Local\Temp\setup.exe "C:\Users\user\AppData\Local\Temp\setup.exe"Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: windows.cloudstore.schema.shell.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140_1.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: msvcp140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: vcruntime140.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: cdprt.dllJump to behavior
                  Source: C:\Windows\explorer.exeSection loaded: smartscreenps.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: msimg32.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: msvcr100.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: webio.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: amsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: wbemcomn.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: propsys.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: dwmapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: oleacc.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: ntmarta.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: shfolder.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: apphelp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: iertutil.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: sspicli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: windows.storage.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: wldp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: profapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: kernel.appcore.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: winhttp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: mswsock.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: winnsi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: urlmon.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: srvcli.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: netutils.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: dnsapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: rasadhlp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: fwpuclnt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: schannel.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: mskeyprotect.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: ntasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: msasn1.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: dpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: cryptsp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: rsaenh.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: cryptbase.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: gpapi.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: ncrypt.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: ncryptsslp.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: acgenral.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: samcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: msacm32.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dwmapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: mpr.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: winmmbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: oleacc.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: shfolder.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: firewallapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwbase.dll
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeSection loaded: fwpolicyiomgr.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: apphelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mmdevapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: devobj.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: audioses.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: powrprof.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: umpdc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.ui.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windowmanagementapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: textinputframework.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: inputhost.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coremessaging.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: twinapi.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coreuicomponents.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasman.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rtutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mswsock.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ondemandconnroutehelper.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc6.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dnsapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winnsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rasadhlp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: fwpuclnt.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: nlaapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: gpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wkscli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wtsapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winsta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscms.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: coloradapterclient.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mdmregistration.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: omadmapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dmcmnutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iri.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netapi32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dsreg.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msvcp110_win.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dxgi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dbghelp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winmm.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iphlpapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: secur32.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: winhttp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: chrome_elf.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dwrite.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: dhcpcsvc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: msasn1.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ntmarta.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wintypes.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: appresolver.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: bcp47langs.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: slc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sppc.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecorecommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: onecoreuapcommonproxystub.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: mscoree.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: kernel.appcore.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: version.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: vcruntime140_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: ucrtbase_clr0400.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: uxtheme.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptsp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: rsaenh.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: cryptbase.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.storage.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wldp.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: profapi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: wbemcomn.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: amsi.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: userenv.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: propsys.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: edputil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: urlmon.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: iertutil.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: srvcli.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: netutils.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: windows.staterepositoryps.dll
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeSection loaded: sspicli.dll
                  Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32Jump to behavior
                  Source: Window RecorderWindow detected: More than 3 window changes detected
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall
                  Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\SysWOW64\msvcr100.dllJump to behavior
                  Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb source: Ionic.Zip.dll.10.dr
                  Source: Binary string: *?|<>/":%s%s.dllC:\Users\user\AppData\Roaming\GamePall\GamePall.exeewall.dllll.pdbC:\Users\user\AppData\Roaming\GamePall\Uninstall.exeePallll source: setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp
                  Source: Binary string: c:\DotNetZip\Zip\obj\Release\Ionic.Zip.pdb$# source: Ionic.Zip.dll.10.dr
                  Source: Binary string: WINLOA~1.PDBwinload_prod.pdb source: 698B.exe, 00000009.00000002.3506421364.000000000A670000.00000004.00000020.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3506421364.000000000A681000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libEGL.dll.pdb source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: h:\work\newContent\secondBranch\DeleteProgram\DeleteProgram\obj\Release\KlMain.pdb source: Del.exe.10.dr
                  Source: Binary string: ntkrnlmp.pdbx source: 698B.exe, 00000009.00000002.3506421364.000000000A670000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: ntkrnlmp.pdb source: 698B.exe, 00000009.00000002.3506421364.000000000A67F000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\68A17FAF3012B7846079AEECDBE0A5831\* source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 0000000B.00000000.3662648687.0000000000322000.00000002.00000001.01000000.0000000F.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.3767071971.00000000602C9000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, 0000000D.00000002.3744533801.0000000005962000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 0000000D.00000002.3744533801.0000000005962000.00000002.00000001.01000000.00000012.sdmp
                  Source: Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 0000000D.00000002.3767071971.00000000602C9000.00000002.00000001.01000000.00000015.sdmp
                  Source: Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb source: 698B.exe, 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe, 00000009.00000000.2583433810.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe.2.dr
                  Source: Binary string: Xilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3949107251.00000000004CA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \swiftshaderXilium.CefGlue.pdb source: setup.exe, 0000000A.00000002.3949107251.00000000004CA000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: libGLESv2.dll.pdb source: setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: \Desktop\projects\Release\BigProject.pdb. source: 698B.exe, 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe, 00000009.00000000.2583433810.0000000000699000.00000002.00000001.01000000.0000000B.sdmp, 698B.exe.2.dr
                  Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\Symbols\winload_prod.pdb\**Z source: 698B.exe, 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp

                  Data Obfuscation

                  barindex
                  Detected unpacking (changes PE section rights)
                  Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhUnpacked PE file: 4.2.tvgrbbh.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
                  Detected unpacking (creates a PE file in dynamic memory)
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeUnpacked PE file: 9.2.698B.exe.3440000.3.unpack
                  Source: Newtonsoft.Json.dll.10.drStatic PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpLp
                  Source: 263.exe.2.drStatic PE information: section name: .vmpLp
                  Source: 263.exe.2.drStatic PE information: section name: .vmpLp
                  Source: 263.exe.2.drStatic PE information: section name: .vmpLp
                  Source: libEGL.dll.10.drStatic PE information: section name: .00cfg
                  Source: libEGL.dll.10.drStatic PE information: section name: .voltbl
                  Source: libGLESv2.dll.10.drStatic PE information: section name: .00cfg
                  Source: libGLESv2.dll.10.drStatic PE information: section name: .voltbl
                  Source: chrome_elf.dll.10.drStatic PE information: section name: .00cfg
                  Source: chrome_elf.dll.10.drStatic PE information: section name: .crthunk
                  Source: chrome_elf.dll.10.drStatic PE information: section name: CPADinfo
                  Source: chrome_elf.dll.10.drStatic PE information: section name: malloc_h
                  Source: libEGL.dll0.10.drStatic PE information: section name: .00cfg
                  Source: libGLESv2.dll0.10.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.10.drStatic PE information: section name: .00cfg
                  Source: libcef.dll.10.drStatic PE information: section name: .rodata
                  Source: libcef.dll.10.drStatic PE information: section name: CPADinfo
                  Source: libcef.dll.10.drStatic PE information: section name: malloc_h
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401CD1 push ecx; ret 0_2_00401CD2
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00401C91 push 00000076h; iretd 0_2_00401C93
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E96 push B92A2F4Ch; retf 0_2_00402E9B
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02D9E680 push eax; ret 0_2_02D9E68D
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02DAAFA4 push edx; ret 0_2_02DAAFA5
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02DAD022 push FFFFFFFBh; iretd 0_2_02DAD038
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04821CF8 push 00000076h; iretd 0_2_04821CFA
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04822EFD push B92A2F4Ch; retf 0_2_04822F02
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04821D38 push ecx; ret 0_2_04821D39
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401CD1 push ecx; ret 4_2_00401CD2
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00401C91 push 00000076h; iretd 4_2_00401C93
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_00402E96 push B92A2F4Ch; retf 4_2_00402E9B
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02C62EFD push B92A2F4Ch; retf 4_2_02C62F02
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02C61CF8 push 00000076h; iretd 4_2_02C61CFA
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02C61D38 push ecx; ret 4_2_02C61D39
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02E7C9F2 push FFFFFFFBh; iretd 4_2_02E7CA08
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02E6E6D6 push eax; ret 4_2_02E6E6DD
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02E7A974 push edx; ret 4_2_02E7A975
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_0068004B push ecx; ret 9_2_0068005E
                  Source: file.exeStatic PE information: section name: .text entropy: 7.617708599696731
                  Source: tvgrbbh.2.drStatic PE information: section name: .text entropy: 7.617708599696731
                  Source: Ionic.Zip.dll.10.drStatic PE information: section name: .text entropy: 6.821349263259562
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\3D69.exeJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tvgrbbhJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeFile created: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].datJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeFile created: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeFile created: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\263.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeFile created: C:\Users\user\AppData\Local\Temp\setup.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Local\Temp\nsaF0B8.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\698B.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeFile created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\tvgrbbhJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall

                  Hooking and other Techniques for Hiding and Protection

                  barindex
                  Deletes itself after installation
                  Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\file.exeJump to behavior
                  Hides that the sample has been downloaded from the Internet (zone.identifier)
                  Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\tvgrbbh:Zone.Identifier read attributes | deleteJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess information set: NOOPENFILEERRORBOX

                  Malware Analysis System Evasion

                  barindex
                  Checks if the current machine is a virtual machine (disk enumeration)
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\Desktop\file.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                  Found evasive API chain (may stop execution after checking mutex)
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_9-145355
                  Query firmware table information (likely to detect VMs)
                  Source: C:\Users\user\AppData\Local\Temp\263.exeSystem information queried: FirmwareTableInformationJump to behavior
                  Switches to a custom stack to bypass stack traces
                  Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 7FF8C88EE814
                  Source: C:\Users\user\Desktop\file.exeAPI/Special instruction interceptor: Address: 7FF8C88ED584
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhAPI/Special instruction interceptor: Address: 7FF8C88EE814
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhAPI/Special instruction interceptor: Address: 7FF8C88ED584
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 12A9E6B
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 11E4E89
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 10FAA71
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 1315B80
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 1664DE8
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 11076F5
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 12D8181
                  Source: C:\Users\user\AppData\Local\Temp\263.exeAPI/Special instruction interceptor: Address: 11D6310
                  Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                  Source: file.exeBinary or memory string: ASWHOOK
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2700000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2630000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2E80000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 14D0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D70000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1590000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4F50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 28C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2B50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 28C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: AF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2520000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 9A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2660000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4660000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3060000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 32C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1770000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3190000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1770000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 32E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3110000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: F30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2930000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2720000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 27C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2DB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4DB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: ED0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2C30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A50000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 10E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4900000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 11E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2D10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 29B0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: A60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 25C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: C10000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 10C0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AF0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2A40000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: CA0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2890000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4890000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1530000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30E0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F30000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1590000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 30F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2F20000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 17A0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 31F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2FE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: EB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4810000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: E60000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2CB0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2AE0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2130000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 23F0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2130000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1620000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3180000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 3080000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 1590000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 2ED0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: 4ED0000 memory reserve | memory write watch
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 439Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3449Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 905Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1179Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 878Jump to behavior
                  Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\nsProcess.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsaF0B8.tmp\liteFirewall.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\INetC.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exeJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\blowfish.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dllJump to dropped file
                  Source: C:\Users\user\AppData\Local\Temp\setup.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dllJump to dropped file
                  Source: C:\Windows\explorer.exe TID: 6588Thread sleep time: -344900s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 6412Thread sleep time: -90500s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 3924Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 3116Thread sleep time: -33200s >= -30000sJump to behavior
                  Source: C:\Windows\explorer.exe TID: 6588Thread sleep time: -117900s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exe TID: 5972Thread sleep time: -240000s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 4580Thread sleep time: -600000s >= -30000s
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_00405B4A CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,8_2_00405B4A
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004066FF FindFirstFileA,FindClose,8_2_004066FF
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004027AA FindFirstFileA,8_2_004027AA
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_006924BD FindFirstFileExW,9_2_006924BD
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03441000 FindFirstFileW,FindNextFileW,EnterCriticalSection,LeaveCriticalSection,9_2_03441000
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03444E27 FindFirstFileW,EnterCriticalSection,LeaveCriticalSection,FindNextFileW,9_2_03444E27
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03441D3C FindFirstFileW,FindNextFileW,9_2_03441D3C
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_034440BA FindFirstFileW,FindNextFileW,9_2_034440BA
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03443EFC FindFirstFileW,FindNextFileW,9_2_03443EFC
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_03442054 GetCurrentHwProfileA,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,9_2_03442054
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeThread delayed: delay time: 600000
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\Cache\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Jump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Adobe\Jump to behavior
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009AF9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0r
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2055214530.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000A
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                  Source: 263.exe, 00000005.00000003.2443211608.0000000003F7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                  Source: 698B.exe, 00000009.00000002.3454319928.0000000000BAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW O
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B2C000.00000004.00000001.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2469729553.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536376520.0000000000C17000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2470824131.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535540317.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2453291170.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536376520.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468406053.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2470272169.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483276485.0000000000C54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2057409400.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}^
                  Source: 263.exe, 00000005.00000003.2443211608.0000000003F7B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                  Source: explorer.exe, 00000002.00000000.2056352447.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-42 27 d9 2e dc 89 72 dX
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B41000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.2057409400.000000000769A000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2057409400.00000000076F8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}99105f770555d7dd
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                  Source: explorer.exe, 00000002.00000000.2056352447.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                  Source: explorer.exe, 00000002.00000000.2056352447.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware-42 27 d9 2e dc 89 72 dX
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                  Source: explorer.exe, 00000002.00000000.2056352447.0000000003554000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware,p
                  Source: 263.exe, 00000005.00000003.2443291241.0000000003F6D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                  Source: 3D69.exe, 00000008.00000003.3958727335.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4026210162.00000000007B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWA
                  Source: explorer.exe, 00000002.00000000.2055214530.0000000000F13000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeAPI call chain: ExitProcess graph end nodegraph_8-3604
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                  Anti Debugging

                  barindex
                  Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                  Source: C:\Users\user\Desktop\file.exeSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSystem information queried: CodeIntegrityInformationJump to behavior
                  Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhProcess queried: DebugPortJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00684383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00684383
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_100010D0 GetVersionExA,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,WideCharToMultiByte,lstrcmpiA,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenA,lstrcpynA,lstrcmpiA,CloseHandle,FreeLibrary,8_2_100010D0
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_02DA4E2F push dword ptr fs:[00000030h]0_2_02DA4E2F
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04820D90 mov eax, dword ptr fs:[00000030h]0_2_04820D90
                  Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0482092B mov eax, dword ptr fs:[00000030h]0_2_0482092B
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02C60D90 mov eax, dword ptr fs:[00000030h]4_2_02C60D90
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02C6092B mov eax, dword ptr fs:[00000030h]4_2_02C6092B
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhCode function: 4_2_02E747FF push dword ptr fs:[00000030h]4_2_02E747FF
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00695891 GetProcessHeap,9_2_00695891
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00684383 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00684383
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00680495 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,9_2_00680495
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_00680622 SetUnhandledExceptionFilter,9_2_00680622
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_006806F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,9_2_006806F0
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeMemory allocated: page read and write | page guard

                  HIPS / PFW / Operating System Protection Evasion

                  barindex
                  Benign windows process drops PE files
                  Source: C:\Windows\explorer.exeFile created: 263.exe.2.drJump to dropped file
                  System process connects to network (likely due to code injection or exploit)
                  Source: C:\Windows\explorer.exeNetwork Connect: 137.74.196.132 443Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 77.221.157.163 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 179.53.197.185 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 127.0.0.127 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 188.114.96.3 80Jump to behavior
                  Source: C:\Windows\explorer.exeNetwork Connect: 189.165.129.60 80Jump to behavior
                  Creates a thread in another existing process (thread injection)
                  Source: C:\Users\user\Desktop\file.exeThread created: C:\Windows\explorer.exe EIP: 30519D0Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhThread created: unknown EIP: 11219D0Jump to behavior
                  LummaC encrypted strings found
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: pedestriankodwu.xyz
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: towerxxuytwi.xyz
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: ellaboratepwsz.xyz
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: penetratedpoopp.xyz
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: swellfrrgwwos.xyz
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: contintnetksows.shop
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: foodypannyjsud.shop
                  Source: 263.exe, 00000005.00000002.2537238188.0000000000DBD000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: potterryisiw.shop
                  Maps a DLL or memory area into another process
                  Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\Desktop\file.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                  Source: C:\Users\user\AppData\Roaming\tvgrbbhSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: unknown unknown
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeProcess created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (linux; android 10; stk-l21) applewebkit/537.36 (khtml, like gecko) chrome/126.0.6478.133 mobile safari/537.36" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
                  Source: explorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd=
                  Source: explorer.exe, 00000002.00000000.2055524787.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program Manager
                  Source: explorer.exe, 00000002.00000000.2057274981.0000000004B00000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2055524787.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                  Source: explorer.exe, 00000002.00000000.2055524787.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                  Source: explorer.exe, 00000002.00000000.2055524787.0000000001731000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                  Source: explorer.exe, 00000002.00000000.2055214530.0000000000EF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PProgman
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_0068013C cpuid 9_2_0068013C
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: EnumSystemLocalesW,9_2_00695051
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,9_2_006950DC
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetLocaleInfoW,9_2_0068E096
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetLocaleInfoW,9_2_0069532F
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,9_2_00695458
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetLocaleInfoW,9_2_0069555E
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,9_2_00695634
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: EnumSystemLocalesW,9_2_0068DBC7
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,9_2_00694CBF
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: EnumSystemLocalesW,9_2_00694F6B
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: EnumSystemLocalesW,9_2_00694FB6
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeCode function: 9_2_0068038F GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,9_2_0068038F
                  Source: C:\Users\user\AppData\Local\Temp\3D69.exeCode function: 8_2_004034CC EntryPoint,SetErrorMode,GetVersionExA,GetVersionExA,GetVersionExA,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,8_2_004034CC
                  Source: C:\Users\user\AppData\Local\Temp\263.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                  Source: 263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2499312676.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536786299.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                  Source: C:\Users\user\AppData\Local\Temp\263.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                  Stealing of Sensitive Information

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 263.exe PID: 6948, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 9.2.698B.exe.c68c00.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.3440000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c60540.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c60540.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.3440000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c68c00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 698B.exe PID: 3144, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Found many strings related to Crypto-Wallets (likely being stolen)
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Electrum
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/ElectronCash
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: window-state.json
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/JAXX New Version
                  Source: 263.exe, 00000005.00000003.2483276485.0000000000C7B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.wallet
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                  Source: 263.exe, 00000005.00000003.2429952734.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance
                  Source: 263.exe, 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Wallets/Ethereum
                  Source: 263.exe, 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                  Source: 263.exe, 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: keystore
                  Tries to harvest and steal browser information (history, passwords, etc)
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\698B.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                  Tries to steal Crypto Currency Wallets
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Local\Temp\263.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                  Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exeDirectory queried: number of queries: 1478
                  Source: Yara matchFile source: 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2472656065.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2469729553.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2470824131.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2469729553.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2470272169.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2470824131.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2468406053.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2468406053.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2454270658.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2470272169.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2483276485.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2442768561.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2468180079.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2453693176.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2469202741.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2430706446.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2429925382.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000005.00000003.2472656065.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 263.exe PID: 6948, type: MEMORYSTR

                  Remote Access Functionality

                  barindex
                  Yara detected LummaC Stealer
                  Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                  Source: Yara matchFile source: Process Memory Space: 263.exe PID: 6948, type: MEMORYSTR
                  Yara detected Poverty Stealer
                  Source: Yara matchFile source: 9.2.698B.exe.c68c00.2.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.3440000.3.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c60540.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c60540.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.3440000.3.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 9.2.698B.exe.c68c00.2.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: 698B.exe PID: 3144, type: MEMORYSTR
                  Yara detected SmokeLoader
                  Source: Yara matchFile source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  Mitre Att&ck Matrix

                  ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                  Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                  Windows Management Instrumentation                  		1
                  DLL Side-Loading                  		1
                  DLL Side-Loading                  		1
                  Disable or Modify Tools                  		1
                  OS Credential Dumping                  		1
                  System Time Discovery                  		Remote Services11
                  Archive Collected Data                  		1
                  Ingress Tool Transfer                  		Exfiltration Over Other Network Medium1
                  System Shutdown/Reboot
                  CredentialsDomainsDefault Accounts11
                  Native API                  		1
                  Windows Service                  		1
                  Access Token Manipulation                  		111
                  Deobfuscate/Decode Files or Information                  		LSASS Memory13
                  File and Directory Discovery                  		Remote Desktop Protocol3
                  Data from Local System                  		2
                  Encrypted Channel                  		Exfiltration Over BluetoothNetwork Denial of Service
                  Email AddressesDNS ServerDomain Accounts1
                  Exploitation for Client Execution                  		1
                  Registry Run Keys / Startup Folder                  		1
                  Windows Service                  		31
                  Obfuscated Files or Information                  		Security Account Manager137
                  System Information Discovery                  		SMB/Windows Admin Shares1
                  Screen Capture                  		1
                  Application Layer Protocol                  		Automated ExfiltrationData Encrypted for Impact
                  Employee NamesVirtual Private ServerLocal Accounts1
                  Command and Scripting Interpreter                  		Login Hook312
                  Process Injection                  		22
                  Software Packing                  		NTDS651
                  Security Software Discovery                  		Distributed Component Object Model1
                  Clipboard Data                  		Protocol ImpersonationTraffic DuplicationData Destruction
                  Gather Victim Network InformationServerCloud Accounts1
                  PowerShell                  		Network Logon Script1
                  Registry Run Keys / Startup Folder                  		1
                  Timestomp                  		LSA Secrets241
                  Virtualization/Sandbox Evasion                  		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                  Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                  DLL Side-Loading                  		Cached Domain Credentials3
                  Process Discovery                  		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                  DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                  File Deletion                  		DCSync1
                  Application Window Discovery                  		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                  Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                  Masquerading                  		Proc Filesystem1
                  Remote System Discovery                  		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                  Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt241
                  Virtualization/Sandbox Evasion                  		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                  IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                  Access Token Manipulation                  		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                  Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd312
                  Process Injection                  		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
                  Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task1
                  Hidden Files and Directories                  		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

                  Behavior Graph

                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467124 Sample: file.exe Startdate: 03/07/2024 Architecture: WINDOWS Score: 100 111 Found malware configuration 2->111 113 Malicious sample detected (through community Yara rule) 2->113 115 Antivirus detection for URL or domain 2->115 117 11 other signatures 2->117 12 file.exe 2->12         started        15 tvgrbbh 2->15         started        process3 signatures4 151 Detected unpacking (changes PE section rights) 12->151 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 12->153 155 Maps a DLL or memory area into another process 12->155 157 Switches to a custom stack to bypass stack traces 12->157 17 explorer.exe 91 10 12->17 injected 159 Multi AV Scanner detection for dropped file 15->159 161 Checks if the current machine is a virtual machine (disk enumeration) 15->161 163 Creates a thread in another existing process (thread injection) 15->163 process5 dnsIp6 97 189.165.129.60 UninetSAdeCVMX Mexico 17->97 99 137.74.196.132 OVHFR France 17->99 101 4 other IPs or domains 17->101 81 C:\Users\user\AppData\Roaming\tvgrbbh, PE32 17->81 dropped 83 C:\Users\user\AppData\Local\Temp\698B.exe, PE32 17->83 dropped 85 C:\Users\user\AppData\Local\Temp\3D69.exe, PE32 17->85 dropped 87 2 other malicious files 17->87 dropped 121 System process connects to network (likely due to code injection or exploit) 17->121 123 Benign windows process drops PE files 17->123 125 Deletes itself after installation 17->125 127 Hides that the sample has been downloaded from the Internet (zone.identifier) 17->127 22 3D69.exe 3 35 17->22         started        26 263.exe 17->26         started        29 698B.exe 12 17->29         started        31 GamePall.exe 17->31         started        file7 signatures8 process9 dnsIp10 89 C:\Users\user\AppData\Local\Temp\setup.exe, PE32 22->89 dropped 91 C:\Users\user\AppData\Local\...\blowfish.dll, PE32 22->91 dropped 93 C:\Users\user\AppData\Local\...\huge[1].dat, PE32 22->93 dropped 95 2 other files (none is malicious) 22->95 dropped 129 Antivirus detection for dropped file 22->129 131 Multi AV Scanner detection for dropped file 22->131 33 setup.exe 112 22->33         started        105 188.114.97.3 CLOUDFLARENETUS European Union 26->105 133 Query firmware table information (likely to detect VMs) 26->133 135 Machine Learning detection for dropped file 26->135 137 Found many strings related to Crypto-Wallets (likely being stolen) 26->137 145 3 other signatures 26->145 107 146.70.169.164 TENET-1ZA United Kingdom 29->107 109 104.192.141.1 AMAZON-02US United States 29->109 139 Detected unpacking (creates a PE file in dynamic memory) 29->139 141 Found evasive API chain (may stop execution after checking mutex) 29->141 143 Tries to harvest and steal browser information (history, passwords, etc) 29->143 37 GamePall.exe 31->37         started        39 GamePall.exe 31->39         started        file11 signatures12 process13 file14 73 C:\Users\user\AppData\...\vulkan-1.dll, PE32 33->73 dropped 75 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32 33->75 dropped 77 C:\Users\user\AppData\...\libGLESv2.dll, PE32 33->77 dropped 79 16 other files (13 malicious) 33->79 dropped 119 Antivirus detection for dropped file 33->119 41 GamePall.exe 33->41         started        signatures15 process16 dnsIp17 103 104.21.45.251 CLOUDFLARENETUS United States 41->103 147 Antivirus detection for dropped file 41->147 149 Machine Learning detection for dropped file 41->149 45 GamePall.exe 41->45         started        47 GamePall.exe 41->47         started        49 GamePall.exe 41->49         started        51 6 other processes 41->51 signatures18 process19 process20 53 GamePall.exe 45->53         started        55 GamePall.exe 45->55         started        57 GamePall.exe 45->57         started        59 6 other processes 45->59 process21 61 GamePall.exe 53->61         started        63 GamePall.exe 53->63         started        65 GamePall.exe 53->65         started        67 GamePall.exe 55->67         started        69 GamePall.exe 55->69         started        71 GamePall.exe 57->71         started       

                  Screenshots

                  Thumbnails

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand

                  Antivirus, Machine Learning and Genetic Malware Detection

                  Initial Sample

                  SourceDetectionScannerLabelLink
                  file.exe37%ReversingLabs
                  file.exe100%Joe Sandbox ML

                  Dropped Files

                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Local\Temp\3D69.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Local\Temp\setup.exe100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%AviraHEUR/AGEN.1352426
                  C:\Users\user\AppData\Local\Temp\263.exe100%AviraHEUR/AGEN.1313486
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat100%AviraHEUR/AGEN.1359405
                  C:\Users\user\AppData\Local\Temp\698B.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Temp\263.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Local\Temp\263.exe68%ReversingLabsWin32.Trojan.Smokeloader
                  C:\Users\user\AppData\Local\Temp\3D69.exe21%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\698B.exe42%ReversingLabsWin32.Trojan.PovertyStealer
                  C:\Users\user\AppData\Local\Temp\nsaF0B8.tmp\liteFirewall.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\INetC.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\blowfish.dll5%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\nsProcess.dll0%ReversingLabs
                  C:\Users\user\AppData\Local\Temp\setup.exe3%ReversingLabsWin32.Trojan.Generic
                  C:\Users\user\AppData\Roaming\GamePall\Del.exe7%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\GamePall.exe3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll3%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libEGL.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\libcef.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\log4net.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll0%ReversingLabs
                  C:\Users\user\AppData\Roaming\tvgrbbh37%ReversingLabs

                  Unpacked PE Files

                  No Antivirus matches

                  Domains

                  No Antivirus matches

                  URLs

                  SourceDetectionScannerLabelLink
                  https://excel.office.com0%URL Reputationsafe
                  http://crl.rootca1.amazontrust.com/rootca1.crl00%URL Reputationsafe
                  http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                  https://www.ecosia.org/newtab/0%URL Reputationsafe
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                  http://nsis.sf.net/NSIS_Error0%URL Reputationsafe
                  https://android.notify.windows.com/iOS0%URL Reputationsafe
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                  http://schemas.micro0%URL Reputationsafe
                  http://x1.c.lencr.org/00%URL Reputationsafe
                  http://x1.i.lencr.org/00%URL Reputationsafe
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                  https://www.google.com/chrome/privacy/eula_text.html0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/api.100%Avira URL Cloudmalware
                  https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/o100%Avira URL Cloudmalware
                  https://support.google.com/chrome/answer/60988690%Avira URL Cloudsafe
                  https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/t100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/s100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLog0%Avira URL Cloudsafe
                  http://gebeus.ru/tmp/index.php100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=etCtrl$10%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/j100%Avira URL Cloudmalware
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/api(100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=urCtrl$20%Avira URL Cloudsafe
                  https://photos.google.com/settings?referrer=CHROME_NTP0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=ltCtrl$10%Avira URL Cloudsafe
                  http://cx5519.com/tmp/index.php100%Avira URL Cloudmalware
                  https://passwords.google.com0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/e5100%Avira URL Cloudmalware
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl0%Avira URL Cloudsafe
                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/la100%Avira URL Cloudmalware
                  contintnetksows.shop100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/C100%Avira URL Cloudmalware
                  http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd0%Avira URL Cloudsafe
                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%220%Avira URL Cloudsafe
                  http://bageyou.xyz0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  http://evilos.cc/tmp/index.php100%Avira URL Cloudmalware
                  https://bitbucket.org/0%Avira URL Cloudsafe
                  http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                  https://support.google.com/chromebook?p=app_intent0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/6C100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/apil100%Avira URL Cloudmalware
                  https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=mrCtrl$10%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.html&0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  ellaboratepwsz.xyz100%Avira URL Cloudmalware
                  swellfrrgwwos.xyz100%Avira URL Cloudmalware
                  https://outlook.com0%Avira URL Cloudsafe
                  http://ocsp.rootca1.amazontrust.com0:0%Avira URL Cloudsafe
                  http://xiexie.wf/22_551/huge.dat0%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.htmlT&r0%Avira URL Cloudsafe
                  https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee0%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/apiK100%Avira URL Cloudmalware
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=ukCtrl$10%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  foodypannyjsud.shop100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/pi7100%Avira URL Cloudmalware
                  http://api.install-stat.debug.world/clients/installs0%Avira URL Cloudsafe
                  pedestriankodwu.xyz100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/es100%Avira URL Cloudmalware
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivity0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u0%Avira URL Cloudsafe
                  https://support.google.com/chrome/a/answer/91222840%Avira URL Cloudsafe
                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=zh-CNCtrl$10%Avira URL Cloudsafe
                  https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC10%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/fe100%Avira URL Cloudmalware
                  http://www.unicode.org/copyright.html0%Avira URL Cloudsafe
                  https://word.office.comon0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivity0%Avira URL Cloudsafe
                  https://powerpoint.office.comcember0%Avira URL Cloudsafe
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                  https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarko0%Avira URL Cloudsafe
                  https://chrome.google.com/webstore?hl=zh-TWCtrl$10%Avira URL Cloudsafe
                  towerxxuytwi.xyz100%Avira URL Cloudmalware
                  https://foodypannyjsud.shop/api100%Avira URL Cloudmalware
                  http://api.install-stat.debug.world/clients/activity0%Avira URL Cloudsafe
                  https://myactivity.google.com/0%Avira URL Cloudsafe
                  http://www.apache.org/).0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/ox100%Avira URL Cloudmalware
                  https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged0%Avira URL Cloudsafe
                  http://xiexie.wf/22_551/huge.dat2470%Avira URL Cloudsafe
                  https://chromeenterprise.google/policies/#BrowserSwitcherUrlList0%Avira URL Cloudsafe
                  https://foodypannyjsud.shop/pi100%Avira URL Cloudmalware
                  https://support.mozilla.org/products/firefoxgro.all0%Avira URL Cloudsafe
                  https://policies.google.com/0%Avira URL Cloudsafe
                  http://office-techs.biz/tmp/index.php100%Avira URL Cloudmalware

                  Domains and IPs

                  Contacted Domains

                  No contacted domains info

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://gebeus.ru/tmp/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://cx5519.com/tmp/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  contintnetksows.shoptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://evilos.cc/tmp/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown
                  ellaboratepwsz.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  swellfrrgwwos.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  foodypannyjsud.shoptrue
                  • Avira URL Cloud: malware
                  		unknown
                  pedestriankodwu.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  towerxxuytwi.xyztrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://office-techs.biz/tmp/index.phptrue
                  • Avira URL Cloud: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://chrome.google.com/webstore?hl=vi&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/api.263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://foodypannyjsud.shop/o263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://duckduckgo.com/chrome_newtab263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/ac/?q=263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/s263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536376520.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535540317.0000000000C28000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://foodypannyjsud.shop/t263.exe, 00000005.00000003.2429952734.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2430831073.0000000000C54000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  https://chrome.google.com/webstore?hl=mr&category=theme81https://myactivity.google.com/myactivity/?umr.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.google.com/chrome/answer/6098869setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, mr.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://logging.apache.org/log4net/release/faq.html#trouble-EventLogGamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?uet.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=etCtrl$1et.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://excel.office.comexplorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=urCtrl$2setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/j263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://foodypannyjsud.shop/api(263.exe, 00000005.00000003.2429952734.0000000000C3F000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://photos.google.com/settings?referrer=CHROME_NTPsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=ltCtrl$1lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrlsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://passwords.google.comsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/e5263.exe, 00000005.00000003.2430831073.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2429952734.0000000000C7B000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442571497.0000000000C7B000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exeexplorer.exe, 00000002.00000000.2065596255.000000000C4DC000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/C263.exe, 00000005.00000002.2536376520.0000000000C28000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535540317.0000000000C28000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://foodypannyjsud.shop/la263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://xiexie.wf/22_551/huge.datmCGBZvyfGQlwd3D69.exe, 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://bageyou.xyzGamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://bitbucket.org/698B.exe, 00000009.00000002.3454319928.0000000000BED000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.2066235693.000000000C81C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2066235693.000000000C861000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apil263.exe, 00000005.00000003.2468180079.0000000000C47000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://support.google.com/chromebook?p=app_intentsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/6C263.exe, 00000005.00000003.2509456015.0000000000CB0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?uGamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, en-US.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://crl.rootca1.amazontrust.com/rootca1.crl0263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://ocsp.rootca1.amazontrust.com0:263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=mrCtrl$1mr.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://nsis.sf.net/NSIS_ErrorError3D69.exe, 00000008.00000000.2523620989.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 3D69.exe, 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3335097850.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000003.3665927834.0000000000529000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, 3D69.exe.2.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.html&setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, ur.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=lt&category=theme81https://myactivity.google.com/myactivity/?ult.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlT&rsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.ecosia.org/newtab/263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://xiexie.wf/22_551/huge.dat3D69.exe, 00000008.00000003.2527029591.0000000003070000.00000004.00001000.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4026210162.00000000007B3000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4025984955.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3974152956.000000000077C000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000002.4025525314.0000000000718000.00000004.00000020.00020000.00000000.sdmp, 3D69.exe, 00000008.00000003.3958727335.000000000077C000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://outlook.comexplorer.exe, 00000002.00000000.2061150858.0000000009B89000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://bitbucket.org/fcsdcvscvc/sadcasdv/raw/62af221cbc4d137cf4e95f7d66f3ced90597b434/kupee698B.exe, 00000009.00000002.3454319928.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3454319928.0000000000BA0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldabet.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrlsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/apiK263.exe, 00000005.00000003.2483276485.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2497350743.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  http://nsis.sf.net/NSIS_Error3D69.exe, 3D69.exe, 00000008.00000000.2523620989.000000000040A000.00000008.00000001.01000000.00000007.sdmp, 3D69.exe, 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmp, setup.exe, 0000000A.00000000.3335097850.000000000040A000.00000008.00000001.01000000.0000000D.sdmp, setup.exe, 0000000A.00000003.3665927834.0000000000529000.00000004.00000020.00020000.00000000.sdmp, setup.exe, 0000000A.00000002.3948585906.000000000040A000.00000004.00000001.01000000.0000000D.sdmp, 3D69.exe.2.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=tr&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/pi7263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://chrome.google.com/webstore?hl=ukCtrl$1setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.2057409400.00000000076F8000.00000004.00000001.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://api.install-stat.debug.world/clients/installsGamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/es263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://support.google.com/chrome/a/answer/9122284setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?usetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=zh-CN&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/fe263.exe, 00000005.00000003.2468406053.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://chrome.google.com/webstore?hl=zh-CNCtrl$1setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmp, GamePall.exe, 0000000D.00000002.3743755777.0000000005536000.00000002.00000001.01000000.00000011.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://word.office.comonexplorer.exe, 00000002.00000000.2061150858.00000000099C0000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.unicode.org/copyright.htmlGamePall.exe, 0000000D.00000002.3744870813.00000000065C7000.00000002.00000001.00040000.0000001A.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://powerpoint.office.comcemberexplorer.exe, 00000002.00000000.2065596255.000000000C460000.00000004.00000001.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi263.exe, 00000005.00000003.2455583262.0000000000CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=zh-TW&category=theme81https://myactivity.google.com/myactivitysetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlP&agalbaTvarkolt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://schemas.microexplorer.exe, 00000002.00000000.2059574274.0000000008890000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2058038399.0000000007DC0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2059413579.0000000008870000.00000002.00000001.00040000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://api.install-stat.debug.world/clients/activityGamePall.exe, 00000026.00000002.4558163950.00000000031D7000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://chrome.google.com/webstore?hl=zh-TWCtrl$1setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://www.apache.org/).GamePall.exe, 0000000D.00000002.3743662991.00000000054F2000.00000002.00000001.01000000.00000011.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/api263.exe, 00000005.00000003.2442571497.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2472656065.0000000000C54000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://myactivity.google.com/setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/ox263.exe, 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2442768561.0000000000CAB000.00000004.00000020.00020000.00000000.sdmptrue
                  • Avira URL Cloud: malware
                  		unknown
                  http://xiexie.wf/22_551/huge.dat2473D69.exe, 00000008.00000002.4025525314.0000000000718000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://x1.c.lencr.org/0263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  http://x1.i.lencr.org/0263.exe, 00000005.00000003.2454041695.0000000003F4E000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000003.3443726553.000000000A6DF000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://www.google.com/chrome/privacy/eula_text.htmlH&elpManagedGamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, en-US.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search263.exe, 00000005.00000003.2431063628.0000000003F76000.00000004.00000800.00020000.00000000.sdmp, 698B.exe, 00000009.00000002.3456894478.0000000009EC4000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  		unknown
                  https://chromeenterprise.google/policies/#BrowserSwitcherUrlListsetup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://policies.google.com/setup.exe, 0000000A.00000002.3950206213.000000000273D000.00000004.00000020.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3750900674.0000000006A40000.00000002.00000001.00040000.0000001B.sdmp, et.pak.10.dr, mr.pak.10.dr, ur.pak.10.dr, en-US.pak.10.dr, lt.pak.10.drfalse
                  • Avira URL Cloud: safe
                  		unknown
                  https://foodypannyjsud.shop/pi263.exe, 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483451614.0000000000CBD000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000002.2536822854.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2496940995.0000000000CC2000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2535409953.0000000000CBB000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483623632.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483813862.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2536047799.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, 263.exe, 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: malware
                  		unknown
                  https://support.mozilla.org/products/firefoxgro.all263.exe, 00000005.00000003.2455031002.0000000004066000.00000004.00000800.00020000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  137.74.196.132
                  		unknownFrance
                  		16276OVHFRtrue
                  77.221.157.163
                  		unknownRussian Federation
                  		30968INFOBOX-ASInfoboxruAutonomousSystemRUtrue
                  104.192.141.1
                  		unknownUnited States
                  		16509AMAZON-02USfalse
                  179.53.197.185
                  		unknownDominican Republic
                  		6400CompaniaDominicanadeTelefonosSADOtrue
                  188.114.97.3
                  		unknownEuropean Union
                  		13335CLOUDFLARENETUSfalse
                  188.114.96.3
                  		unknownEuropean Union
                  		13335CLOUDFLARENETUStrue
                  104.21.45.251
                  		unknownUnited States
                  		13335CLOUDFLARENETUSfalse
                  189.165.129.60
                  		unknownMexico
                  		8151UninetSAdeCVMXtrue
                  146.70.169.164
                  		unknownUnited Kingdom
                  		2018TENET-1ZAtrue

                  Private

                  IP
                  127.0.0.127

                  General Information

                  Joe Sandbox version:40.0.0 Tourmaline
                  Analysis ID:1467124
                  Start date and time:2024-07-03 18:21:54 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 15m 24s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:39
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:file.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@283/115@0/10
                  EGA Information:
                  • Successful, ratio: 80%
                  HCA Information:
                  • Successful, ratio: 53%
                  • Number of executed functions: 108
                  • Number of non-executed functions: 87
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                  Warnings

                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                  • Execution Graph export aborted for target 263.exe, PID 6948 because there are no executed function
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size exceeded maximum capacity and may have missing behavior information.
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtEnumerateKey calls found.
                  • Report size getting too big, too many NtOpenFile calls found.
                  • Report size getting too big, too many NtOpenKey calls found.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • Skipping network analysis since amount of network traffic is too extensive
                  • VT rate limit hit for: file.exe

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  12:22:59API Interceptor97194x Sleep call for process: explorer.exe modified
                  12:23:21API Interceptor9x Sleep call for process: 263.exe modified
                  12:25:31API Interceptor1x Sleep call for process: GamePall.exe modified
                  18:23:04Task SchedulerRun new task: Firefox Default Browser Agent A42FA82EEE5A70CB path: C:\Users\user\AppData\Roaming\tvgrbbh
                  18:25:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                  18:25:40AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  77.221.157.1635GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                    SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                      104.192.141.1A662vmc5co.exeGet hashmaliciousUnknownBrowse
                      • bitbucket.org/kennethoswald1/aoz918/downloads/LEraggt.exe
                      lahPWgosNP.exeGet hashmaliciousAmadeyBrowse
                      • bitbucket.org/alex222111/testproj/downloads/s7.exe
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/tinypro/rEG6d7/ba869eaf2433f3e0b56e4d0776eb5117fc09b21f/files/street-main
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets
                      SecuriteInfo.com.HEUR.Trojan.Script.Generic.20331.xlsxGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets
                      Paid invoice.ppaGet hashmaliciousAgentTeslaBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/Egjbp5/1b96dd9b300f88e62e18db3170d33bf037793d72/files/euromanmain
                      PO#1487958_10.ppaGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/KME7g4/7678df565d5a8824274645a03590fc72588243f0/files/orignalfinal
                      Purchase Inquiry_pdf.ppaGet hashmaliciousAgentTeslaBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                      Purchase Inquiry_pdf.ppaGet hashmaliciousUnknownBrowse
                      • bitbucket.org/!api/2.0/snippets/warzonepro/8E74BM/47d1c5bd6af9e6b1718ba4d2e049cba6beb1ac95/files/charles1final
                      188.114.97.3BL Draft.exeGet hashmaliciousFormBookBrowse
                      • www.gazeta-ufaley.ru/wjr5/
                      Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                      • www.pu6wac.buzz/g2ww/
                      Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                      • filetransfer.io/data-package/OWlnEE9J/download
                      Purchase Order No.P7696#U00faPDF.scr.exeGet hashmaliciousUnknownBrowse
                      • filetransfer.io/data-package/OWlnEE9J/download
                      MKCC-MEC-RFQ-115-2024.exeGet hashmaliciousFormBookBrowse
                      • www.checkout4xgrow.shop/ts59/?S0GhCH=DR-Lh8FH5BP&Upql=F3s9qclS9ajlyltz5vx8YuFcODa05tGO2XwI753moUwU8ctXmF/lD/LedP+MQBQFZjkX
                      62b1bf60394248d2c743ec6df0935d58e5009c9e04aab.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                      • podval.top/LineToPythonJsLowupdateLongpollWindowsFlower.php
                      MUdeeReQ5R.exeGet hashmaliciousFormBookBrowse
                      • www.ilodezu.com/z48v/
                      RR1h1iO6W2.exeGet hashmaliciousFormBookBrowse
                      • www.intervisitation.sbs/clrm/
                      aAEsSBx24sxHhRz.exeGet hashmaliciousFormBookBrowse
                      • www.fin4d-sl.com/dy13/?GdIHAFZ=MC4QZEftrgtCVvoYAYxBXZxxSCJu24Hzj16GKJrL5MOAuB5Jt3GFkekm4l21S7hYr6F9&BhU=5jl0ddZhNnYlOrV0
                      http://sp.26skins.com/steamstore/category/action_run_jump/?snr=1_1530_4__12Get hashmaliciousUnknownBrowse
                      • sp.26skins.com/favicon.ico

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      OVHFRH50bdqfVH2.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 51.195.62.41
                      bv8iPF7cTY.exeGet hashmaliciousAgentTeslaBrowse
                      • 198.50.154.144
                      VG0x1LZCFb.exeGet hashmaliciousAgentTeslaBrowse
                      • 51.255.149.48
                      https://us-east-2.protection.sophos.com/?d=beehiiv.com&u=aHR0cHM6Ly9saW5rLm1haWwuYmVlaGlpdi5jb20vbHMvY2xpY2s_dXBuPXUwMDEublhka2JOSUpSeEZBS3VJWUJaMjU1N3l4Ujd6TmpDcFhIYW5SQnlyQXY3ZHMzMDZEQ091c3dBUU0yYzhiZFN4b1BudElFVWpoUzJhdzI1aDJUcWNiZVVCdXQ3WEhqcHZMejN4aS0yRnBZN2NYb3RNbXNIRlVyUkd5RDAzTGhIZms2a2E1ZGZEVFpCSlVkWnpOandHYUJsR0x3U1B4MlN1TVNIWEl5ZlI3YVdDNW1aeFNQLTJCUWFOUmpzMlpwblRwbmxpLTJGX245c19sZUtscWNRUnJvOGtNTXJocHFZOENpeTQ4MnhLUmJTM1NZcE16TVUtMkY5c0VvdjNqMExCNE1kOVZ3WUJvOEY2bEhJTllZbE90LTJGcjRQd1FwOXdCVmFuUXpmRy0yQnZlaFF5WVBjamlVbFpSN3VSaHJFbWFrLTJCYXY5T2RyYldyREphTmo3ck1iNmlhckR2Rjh1d2xPeDZ5VFY5ODFHLTJGejZiRDczakVOVHk4M0pXa2kzVzNTSzRBRURwQjd3dEg4blRyZ203ZjYxaEg2enlzYjFLYVl0S0pyWUJjU2QxNTN2SDQ5eDlTeW5acVZ0TGdqN2RrWU1FRkE1NzV6WWF6b2UwQmw2UnVUM1RHTkJiU2JpOHhUNUFnRGJMUjY4TlU1ay0yRmtDVFJtOHJrWWRMSDBNRGgtMkY3c1J6dVE4TEJxeDBvQzZ6WXVFQk0xRVFBdGI3eGxMZVEtMkJ5SEtiOE4yVHV0TFdpVEk4amc4b3U5MTkxRlM5SDEyLTJCbnJpT0hESVo2Nk1yd3pIeTRScFBQWlAtMkJ0Y1NscGt2Z01HT2F5Nmx6UGlCdE1MeGRrODI5eGU3TThFT1VLRDR2UHIxZFdYZ3c3MjFQQjFNa3k=&i=NWNiNGNiOGY1NWZlOGIxMTAwZmUxN2Uy&t=YUVvbWN0aDQzMW4yV29uam9nK2tUNmU1dStvM2VicUNJeENiWDR5Zk1nTT0=&h=ddfea45e1610491898abc824d1dabad5&s=AVNPUEhUT0NFTkNSWVBUSVaKXvCVdmaYUeJ4sMCGgh9xhnT0RF3qCfPvI6ciaUbnMgGet hashmaliciousUnknownBrowse
                      • 66.70.176.204
                      https://hr.economictimes.indiatimes.com/etl.php?url=https://hr.economictimes.indiatimes.com/etl.php?url=//bgvhdjcbjfdhjkbgfddgfghgfd.pages.dev/#?email=dGVzdEB0ZXN0by5jb20=Get hashmaliciousUnknownBrowse
                      • 149.202.238.104
                      watchdog.elfGet hashmaliciousMiraiBrowse
                      • 142.44.221.54
                      spc.elfGet hashmaliciousMiraiBrowse
                      • 51.71.23.37
                      https://supp-review9482.eu/Get hashmaliciousUnknownBrowse
                      • 94.23.17.185
                      http://multichaindappsx.pages.dev/Get hashmaliciousUnknownBrowse
                      • 51.255.68.171
                      44zg1cvu.msgGet hashmaliciousHTMLPhisherBrowse
                      • 51.38.145.13
                      INFOBOX-ASInfoboxruAutonomousSystemRU5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                      • 77.221.157.163
                      SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                      • 77.221.157.163
                      Eclf71HXa1.exeGet hashmaliciousUnknownBrowse
                      • 77.221.149.185
                      Eclf71HXa1.exeGet hashmaliciousUnknownBrowse
                      • 77.221.149.185
                      file.exeGet hashmaliciousPureLog Stealer, RedLine, XmrigBrowse
                      • 77.221.149.185
                      file.exeGet hashmaliciousPureLog StealerBrowse
                      • 77.221.140.76
                      file.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                      • 77.221.140.76
                      file.exeGet hashmaliciousPureLog StealerBrowse
                      • 77.221.140.76
                      SecuriteInfo.com.Win64.MalwareX-gen.13147.14133.exeGet hashmaliciousUnknownBrowse
                      • 77.221.159.5
                      SecuriteInfo.com.Win64.MalwareX-gen.13147.14133.exeGet hashmaliciousUnknownBrowse
                      • 77.221.159.5
                      CompaniaDominicanadeTelefonosSADOmirai.m68k.elfGet hashmaliciousMiraiBrowse
                      • 190.80.206.217
                      mirai.x86.elfGet hashmaliciousMiraiBrowse
                      • 148.42.30.184
                      yJgVAg26w0.elfGet hashmaliciousMiraiBrowse
                      • 148.162.215.71
                      NiAsQEhh9p.elfGet hashmaliciousMiraiBrowse
                      • 148.36.146.27
                      h1dNV0rAcX.elfGet hashmaliciousMiraiBrowse
                      • 148.133.184.159
                      AAMwAy8pB7.elfGet hashmaliciousMirai, MoobotBrowse
                      • 150.72.192.198
                      V7UaNBrX72.elfGet hashmaliciousMirai, MoobotBrowse
                      • 148.23.52.92
                      RDEHNTKF1V.elfGet hashmaliciousMirai, MoobotBrowse
                      • 148.133.14.106
                      1CZlhmRsza.elfGet hashmaliciousMirai, MoobotBrowse
                      • 152.68.187.217
                      Ul8gIL4P3u.elfGet hashmaliciousMirai, MoobotBrowse
                      • 150.0.225.83
                      AMAZON-02US2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                      • 3.165.136.99
                      Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                      • 18.155.129.121
                      SecuriteInfo.com.Win32.MalwareX-gen.14314.27670.exeGet hashmaliciousPoverty StealerBrowse
                      • 104.192.141.1
                      AWB NO. 077-57676135055.exeGet hashmaliciousFormBookBrowse
                      • 44.227.65.245
                      MKCC-MEC-RFQ-115-2024.exeGet hashmaliciousFormBookBrowse
                      • 3.64.163.50
                      https://mail.pfl.fyi/v1/messages/0190749a-2f6a-7c9f-b37a-88f0ae969ede/click?link_id=0190749a-2ffa-7f41-ad16-3ecda235df51&signature=3e892faf1c0137166fda82e5ff5c6a3150c2cec9Get hashmaliciousHTMLPhisherBrowse
                      • 108.156.39.22
                      https://link.mail.beehiiv.com/ls/click?upn=u001.DTQiLe1mLQCNek4IXPrb3cd8am3-2BtbSaRRShUhZCbhF1FE2NDum-2B9YeqhMivZ-2FcIJGKdOjfqgyCSTZimAiOiNKkJG3N5vgYBNDNlk5YkmOU2XPb-2FKTFlF-2Fc7jFH7Nb8Q0JW6uJclJabjCcGs0cWdzdydwDpcxzScPZQBex7SofyQj6MGdYzEG8hbxGGqYt2bpR0NjPAx6JIYz6GJiSrQNg-3D-3DNN1n_VW5ZEdFpCuXmC2nf4fwMfiBmdui0O95PSMmp4s-2F2oS3jvSHISWr6XQl8RtHpD7TWmHpRBlT8NsCamUZaroeFibjayeskXeuNnFhPFOon1-2FD6SmbcpIEUC7jghzzXsggajKIODB16RJEeGNz4SFHe6mT-2Bn59v08ju13fD9NtKJQcr97qiQNjiGiaoQJcvN3gUurUBqLZp9I4f9bNW54ZUVVCzpwaogbLaWcL9oScbt8r4Ku34t9zOqlF27gTqXVf6T2MbNMKkoCYnb-2BuL8kIZdyoRM3EFOIuktrG5gMH3OTa1K2klBhmxFOQ2d7plqd5asAi8Ofl9YcYOh-2FL4f45riCQtSdd7jru06EkHcBuJahi-2BD3xm-2F7PbjpIpmn-2Bu7KYdjQeOSKE-2FSiD6UNxc7JQNRWkdnK1RTC7eoEMZms82uCa8fJQIoMgqBt91NrcdZIDONaGhhpHXRhQ1VbYp5h6Cow-3D-3D#?email=dmFsZXJpZS5jaHJ1c2NpZWxAb3Zlcmxha2Vob3NwaXRhbC5vcmc=Get hashmaliciousHTMLPhisherBrowse
                      • 108.156.39.60
                      7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                      • 3.64.163.50
                      http://booking.extnnehotteir.com/admin/o2shi1bka89Get hashmaliciousUnknownBrowse
                      • 18.239.36.121
                      7sAylAXBOb.exeGet hashmaliciousUnknownBrowse
                      • 3.64.163.50

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                        SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                          JuHVfiAuLo.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                            LXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                              EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                  file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                    SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                      37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                        OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                          C:\Users\user\AppData\Local\Temp\263.exe5GOuTtZoQn.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                            SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                              JuHVfiAuLo.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                LXbM8RbhLa.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                  EiPVv5yELP.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                    6IMo1kM9CC.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                      file.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                        SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                          37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse
                                                            OBbrO5rwew.exeGet hashmaliciousLummaC, Poverty Stealer, SmokeLoaderBrowse

                                                              Created / dropped Files

                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\huge[1].dat

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Category:dropped
                                                              Size (bytes):107232830
                                                              Entropy (8bit):7.999946456161068
                                                              Encrypted:true
                                                              SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                              MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                              SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                              SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                              SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              Joe Sandbox View:
                                                              • Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse
                                                              • Filename: JuHVfiAuLo.exe, Detection: malicious, Browse
                                                              • Filename: LXbM8RbhLa.exe, Detection: malicious, Browse
                                                              • Filename: EiPVv5yELP.exe, Detection: malicious, Browse
                                                              • Filename: 6IMo1kM9CC.exe, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, Detection: malicious, Browse
                                                              • Filename: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, Detection: malicious, Browse
                                                              • Filename: OBbrO5rwew.exe, Detection: malicious, Browse
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\263.exe

                                                              Download File
                                                              Process:C:\Windows\explorer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):6642176
                                                              Entropy (8bit):7.866419732571782
                                                              Encrypted:false
                                                              SSDEEP:98304:LqhZ67opwYckx35SF2XKgxVvHuCPU8GSbO3JAXV1LrA+ZlL9CxpzTp2:LgErupSgKORuCT43JeV1LE+/s3p
                                                              MD5:BD2EAC64CBDED877608468D86786594A
                                                              SHA1:778AD44AFD5629F0A5B3B7DF9D6F02522AE94D91
                                                              SHA-256:CAE992788853230AF91501546F6EAD07CFD767CB8429C98A273093A90BBCB5AD
                                                              SHA-512:3C8F43045F27ADDCB5FB23807C2CE1D3F247CC30DD1596134A141B0BBC7FA4D30D138791214D939DC4F34FD925B9EC450EA340E5871E2F4F64844226ED394312
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                              Joe Sandbox View:
                                                              • Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse
                                                              • Filename: JuHVfiAuLo.exe, Detection: malicious, Browse
                                                              • Filename: LXbM8RbhLa.exe, Detection: malicious, Browse
                                                              • Filename: EiPVv5yELP.exe, Detection: malicious, Browse
                                                              • Filename: 6IMo1kM9CC.exe, Detection: malicious, Browse
                                                              • Filename: file.exe, Detection: malicious, Browse
                                                              • Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.2850.19434.exe, Detection: malicious, Browse
                                                              • Filename: 37e6e5d8b399fefb9ae774516ff6367e800c69a272e18a654bb84ccff2d7c67a_dump.exe, Detection: malicious, Browse
                                                              • Filename: OBbrO5rwew.exe, Detection: malicious, Browse
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....U~f..............................M...........@...................................e...@..................................O......P......................@.......................................................@3..............................text...+........................... ..`.rdata...*..........................@..@.data.... ..........................@....vmpL.p.....0...................... ..`.vmpL.p@....@3.....................@....vmpL.p..]..P3...]................. ..`.reloc.......@........].............@..@.rsrc.......P...f....].............@..@........................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\3D69.exe

                                                              Download File
                                                              Process:C:\Windows\explorer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Category:dropped
                                                              Size (bytes):293869
                                                              Entropy (8bit):5.61569579822855
                                                              Encrypted:false
                                                              SSDEEP:3072:lFi6z/VXzAf3ocMNqB3r1Josf+OMhERMlm+twHBumSYyDgIoIPM7l0UGHM7:lxFSIjs+OM2eLFmSFgIZk7+HM7
                                                              MD5:60172CA946DE57C3529E9F05CC502870
                                                              SHA1:DE8F59D6973A5811BB10A9A4410801FA63BC8B56
                                                              SHA-256:42CEB2252FEC41FD0ACC6874B41C91E0BA07C367045D6A9A7850D59781C2584C
                                                              SHA-512:15D37AF3CAB96FC9026A1898E09C775FE0D277098A3FE20C2E591272DE996A243850D43F3B48B4C037C5FED359E57795A7CF1652547D7AD8B16B186AB9508792
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 21%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........`..X............................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...X....`......................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\698B.exe

                                                              Download File
                                                              Process:C:\Windows\explorer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:modified
                                                              Size (bytes):578048
                                                              Entropy (8bit):6.297510031778876
                                                              Encrypted:false
                                                              SSDEEP:12288:No4ykJuqlLJop9G3/AmAGWn7sfPJYQIMt8KHsTH:NoBsLaDKAmAbUJ+M2K2
                                                              MD5:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                              SHA1:7CC975D9FF785E269163897907D0B9B3CEE29956
                                                              SHA-256:544697A024ABAEA1B24EAA3D89869B2C8A4C1ACF96D4E152F5632D338D054C9E
                                                              SHA-512:D73CC4D911D9E61711B97CB9212D5BC93CB1B1314A39945934EB92239A31728FCCA7FEFBEC0143BAD915B0A7A6B93DF11D0AB7F559737AA7EC920BD24243FFFE
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 42%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........(...I..I..I...1..I...1...I...1..I..l...I..l...I..l....I...1..I..I...I..]...I..]...I..Rich.I..................PE..L...w;.f...............'.....\....................@.......................................@.....................................(................................2..Xh..p....................i.......g..@...............@............................text....~.......................... ..`.rdata..4...........................@..@.data...............................@....reloc...2.......4..................@..B........................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsaF0B8.tmp\liteFirewall.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):82944
                                                              Entropy (8bit):6.389604568119155
                                                              Encrypted:false
                                                              SSDEEP:1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
                                                              MD5:165E1EF5C79475E8C33D19A870E672D4
                                                              SHA1:965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
                                                              SHA-256:9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
                                                              SHA-512:CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsg753D.tmp

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):358363995
                                                              Entropy (8bit):6.972150585647623
                                                              Encrypted:false
                                                              SSDEEP:3145728:KTzytRGD/CYRNIPKYTFBhfmOS9KBaVzTx9OSsKV97nM:KnUs4tvaVzTD99M
                                                              MD5:5F9D89B40243E83C0B48206CE4EB77D1
                                                              SHA1:477A019AB11E5793168B3E41D83B80A8AC8F1D43
                                                              SHA-256:2BF31800E731EF63E7E5BDEECD87B50B349EC8F5C9D752AACB807AC0E82E95B9
                                                              SHA-512:5B812C2D341FE8A9296EF68E416E0EFA8185FB3ECCEC0917AB206CD7639E1810E6444538B61583E2260F1A46D4209E1995CFBF940A1D9836C4155ADF0504940B
                                                              Malicious:false
                                                              Preview:........,.......................H...........................................................................................................................................................................................................................................................e...i...............j.......................3.......................................................................................................................t....V..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsl35D8.tmp

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):60466
                                                              Entropy (8bit):5.603640719549413
                                                              Encrypted:false
                                                              SSDEEP:1536:akqg31kqY3Q4Oc//////Q0LatojW/lX1Xb41:3qg323Sc//////Q3tojW/XXy
                                                              MD5:DE806154A80E3916669C466B6D001BD6
                                                              SHA1:B85BD0EC436125772A9C5403162628B7AAB35F49
                                                              SHA-256:10D9B7F2238EFFEB71990F979B9DFE4F3BE3D212B05232EF34C39F9578CC11E3
                                                              SHA-512:63CC5D6865C89AE2C41EEE3C76FD865D9461E96DBC570270982EB6DB5A15FB234098286CEE3FF9DB2255FEDA5207A222AB67743475AD60CCFD89A86B881BCB94
                                                              Malicious:false
                                                              Preview:",......,..................."...|%......H+......",..............................................................................................................................................................................................................................................................j.......,.../...5.......3.......................................................................................................................N.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\INetC.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):22016
                                                              Entropy (8bit):5.668346578219837
                                                              Encrypted:false
                                                              SSDEEP:384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
                                                              MD5:92EC4DD8C0DDD8C4305AE1684AB65FB0
                                                              SHA1:D850013D582A62E502942F0DD282CC0C29C4310E
                                                              SHA-256:5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
                                                              SHA-512:581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\blowfish.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):22528
                                                              Entropy (8bit):6.674611218414922
                                                              Encrypted:false
                                                              SSDEEP:384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
                                                              MD5:5AFD4A9B7E69E7C6E312B2CE4040394A
                                                              SHA1:FBD07ADB3F02F866DC3A327A86B0F319D4A94502
                                                              SHA-256:053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
                                                              SHA-512:F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 5%
                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\nsProcess.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):4608
                                                              Entropy (8bit):4.666004851298707
                                                              Encrypted:false
                                                              SSDEEP:48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
                                                              MD5:FAA7F034B38E729A983965C04CC70FC1
                                                              SHA1:DF8BDA55B498976EA47D25D8A77539B049DAB55E
                                                              SHA-256:579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
                                                              SHA-512:7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Local\Temp\setup.exe

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Category:dropped
                                                              Size (bytes):107232830
                                                              Entropy (8bit):7.999946456161068
                                                              Encrypted:true
                                                              SSDEEP:1572864:6F6Q78DDbO8pDfwpK5ZAQ5WKor2G5N6Y7ZxFo9jk7WUTLECglga1R7P435MZZDXA:jPNVfsQZoL5NJdo9jKWergS89P4qZZc
                                                              MD5:FF2293FBFF53F4BD2BFF91780FABFD60
                                                              SHA1:61A9EDCF46228DC907AD523AA6FD035CC26C9209
                                                              SHA-256:B9BC473FC866909F089E005BAF2537EE7FF2825668D40D67C960D5C2AFB34E9F
                                                              SHA-512:C31A0046BA580926097422DF34619B614AA0DEB6435EC5CE68A553846FAD15BC61908B8C8292D25EE061BA1974637A7B91D72F19CCCCC2C76B9AC737B1CB4A5E
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.01057775872642915
                                                              Encrypted:false
                                                              SSDEEP:3:MsFl:/F
                                                              MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                              SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                              SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                              SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                              Malicious:false
                                                              Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.012096502606932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsEllllkXl:/M/6
                                                              MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                              SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                              SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                              SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.011852361981932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsHlDll:/H
                                                              MD5:0962291D6D367570BEE5454721C17E11
                                                              SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                              SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                              SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:modified
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.012340643231932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsGl3ll:/y
                                                              MD5:41876349CB12D6DB992F1309F22DF3F0
                                                              SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                              SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                              SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                              Category:dropped
                                                              Size (bytes):262512
                                                              Entropy (8bit):9.553120663130604E-4
                                                              Encrypted:false
                                                              SSDEEP:3:LsNlQr//:Ls3s/
                                                              MD5:A80D1D80066AE4941335D92DEDAAB9EA
                                                              SHA1:E351AC1CC953B12709E84916183904642FF6A5B0
                                                              SHA-256:6CFEFD301580D03DF9DDDB440EAF353500444544007475760A1A4E2717850E8C
                                                              SHA-512:F049FF5DFED810EF510F9BD46338D7AD7EA80F0FBF5C58BC64B839644B335EEFD80FDE219A1DAE6DEB6507742AD8453B6CB2349B710E45D17A5A2C25DEC9F8C1
                                                              Malicious:false
                                                              Preview:........................................w...z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\Del.exe

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):4.622398838808078
                                                              Encrypted:false
                                                              SSDEEP:96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
                                                              MD5:97D4D47D539CB8171BE2AEFD64C6EBB1
                                                              SHA1:44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
                                                              SHA-256:8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
                                                              SHA-512:7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 7%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....*(....*....0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..*........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#...*...0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

                                                              C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.01057775872642915
                                                              Encrypted:false
                                                              SSDEEP:3:MsFl:/F
                                                              MD5:CF89D16BB9107C631DAABF0C0EE58EFB
                                                              SHA1:3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
                                                              SHA-256:D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
                                                              SHA-512:8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
                                                              Malicious:false
                                                              Preview:............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.012096502606932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsEllllkXl:/M/6
                                                              MD5:259E7ED5FB3C6C90533B963DA5B2FC1B
                                                              SHA1:DF90EABDA434CA50828ABB039B4F80B7F051EC77
                                                              SHA-256:35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
                                                              SHA-512:9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.011852361981932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsHlDll:/H
                                                              MD5:0962291D6D367570BEE5454721C17E11
                                                              SHA1:59D10A893EF321A706A9255176761366115BEDCB
                                                              SHA-256:EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
                                                              SHA-512:F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8192
                                                              Entropy (8bit):0.012340643231932763
                                                              Encrypted:false
                                                              SSDEEP:3:MsGl3ll:/y
                                                              MD5:41876349CB12D6DB992F1309F22DF3F0
                                                              SHA1:5CF26B3420FC0302CD0A71E8D029739B8765BE27
                                                              SHA-256:E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
                                                              SHA-512:E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
                                                              Malicious:false
                                                              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

                                                              Download File
                                                              Process:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              File Type:FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
                                                              Category:dropped
                                                              Size (bytes):262512
                                                              Entropy (8bit):9.553120663130604E-4
                                                              Encrypted:false
                                                              SSDEEP:3:LsNl8X:Ls3
                                                              MD5:0D1876472D4CDE10BC31CF0A6CC28214
                                                              SHA1:F81FE6A810284337AB8E3BA80C744C679191BB18
                                                              SHA-256:45B438FB93604D9E397CEA90D16871F411C5097785000E5AA4F77B6B731EB7F9
                                                              SHA-512:5A2473A5CDDB5B76194D1D23EEB13007CB1C67E6B8408FCC7A6E4832FEBE4841094494EBAB081E8BD27BDCBC6192EF23D321005AF470B5BDD2CE105BCDC404D7
                                                              Malicious:false
                                                              Preview:............................................z/.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):296448
                                                              Entropy (8bit):5.660420770467009
                                                              Encrypted:false
                                                              SSDEEP:3072:xTpjI4TptgvmHMaellnhblkK0m2QEk0xjo4OVzdvayfvYn6A:ppbVtsg1e5b2Px2zdyyq
                                                              MD5:7A3502C1119795D35569535DE243B6FE
                                                              SHA1:DA0D16BC66614C7D273C47F321C5EE0652FB5575
                                                              SHA-256:B18FEFB56ED7B89E45CEC8A5494FBEC81E36A5CB5538CCBB8DE41CCE960FAA30
                                                              SHA-512:258B111AC256CD8145CBE212D59DFF5840D67E70EFFD7CDDC157B2A3461B398BBC3446004980131FAA6A8762C19305F56E7B793F045331B56B8BD17D85B884C4
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: Avira, Detection: 100%
                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....rf..............0.............>.... ........@.. ....................................@....................................O.......t............................................................................ ............... ..H............text...d.... ...................... ..`.rsrc...t...........................@..@.reloc..............................@..B................ .......H....... ...$...........D...p............................................(....s....*Z..(....,...(....(....*.(....*..(....*..(....*.......*.~....*....0..W.......(....".....(......,..o....-..*.o.....+...( .....o....&..(!...-...........o"....."...BZ*.......%..A.......0..Q.......(....(........,..o....-..*.o.....+...( .....o....&.._...(!...-...........o".....*.........!. A.......0..V.......(....(......,..o....-.*~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

                                                              C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):462336
                                                              Entropy (8bit):6.803831500359682
                                                              Encrypted:false
                                                              SSDEEP:6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
                                                              MD5:6DED8FCBF5F1D9E422B327CA51625E24
                                                              SHA1:8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
                                                              SHA-256:3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
                                                              SHA-512:BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(....*...0..2........r...p(....}.......}"....(........(.........(....*..r...p(....}.......}"....(........(....*..0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...*rr!..p.{.....{.....B...(....*..0..A........{..

                                                              C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):574376
                                                              Entropy (8bit):5.8881470355864725
                                                              Encrypted:false
                                                              SSDEEP:12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
                                                              MD5:8F81C9520104B730C25D90A9DD511148
                                                              SHA1:7CF46CB81C3B51965C1F78762840EB5797594778
                                                              SHA-256:F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
                                                              SHA-512:B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D...*..{F.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                              C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):561424
                                                              Entropy (8bit):4.606896607960262
                                                              Encrypted:false
                                                              SSDEEP:6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
                                                              MD5:928ED37DB61C1E98A2831C8C01F6157C
                                                              SHA1:98103C2133EBDA28BE78BFE3E2D81D41924A23EE
                                                              SHA-256:39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
                                                              SHA-512:F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
                                                              Malicious:false
                                                              Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

                                                              C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                              Category:dropped
                                                              Size (bytes):215862
                                                              Entropy (8bit):5.849338245796311
                                                              Encrypted:false
                                                              SSDEEP:3072:rFi6z/VXzAf3oc8+vat7fvYnDAdOVz5kNx:rxFSI+y1qk6zuNx
                                                              MD5:9D21A25AA1B5985A2C8CBCE7F7007295
                                                              SHA1:86EBF56352B4DBB831FAE0CCA180B4ADD951240D
                                                              SHA-256:E41F984C39183BA4FD1578134D71E203F4A7A8C23F278924562876326FC40EE2
                                                              SHA-512:EE4A1AC97968F2DDA3C54A49AC33D3FCE28C4DAE72032D9FDD1F8D8BA41B07A1D78D15E11586DA54AD5E0F2BD4A48C79A0CBAC84DE3D957B2AC6C1B5F41A33BB
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG.*_...PG..PF.IPG.*_...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................................@.................................8........................................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............|..............@....ndata.......P...........................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):875520
                                                              Entropy (8bit):5.621956468920589
                                                              Encrypted:false
                                                              SSDEEP:12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
                                                              MD5:B03C7F6072A0CB1A1D6A92EE7B82705A
                                                              SHA1:6675839C5E266075E7E1812AD8E856A2468274DD
                                                              SHA-256:F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
                                                              SHA-512:19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(....*..(....*..(....*^.(.......=...%...}....*:.(......}....*:.(......}....*^.(.......>...%...}....*:.(......}....*.(.........*....0..,.......(....o.......3..*....... ....3.(....-..*.*.*.0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..(".....*.*........+1...........4.......~....*.~....*..(....*.~....,.*.(#...-.(....-..(....+.r...ps$...z(..........*b.r...p(%...~.....(....&*.r

                                                              C:\Users\user\AppData\Roaming\GamePall\cef.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1946739
                                                              Entropy (8bit):7.989700491058983
                                                              Encrypted:false
                                                              SSDEEP:49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
                                                              MD5:96AD47D78A70B33158961585D9154ECC
                                                              SHA1:149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
                                                              SHA-256:C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
                                                              SHA-512:6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
                                                              Malicious:false
                                                              Preview:........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)*i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..*).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....).....*.....*F....*]....*3....*v....*....*v....*.....*.....*.....*$... *....!*8..."*....#*....$*....%*..

                                                              C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):214119
                                                              Entropy (8bit):7.955451054538398
                                                              Encrypted:false
                                                              SSDEEP:6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
                                                              MD5:391F512173ECEC14EB5CE31299858DE1
                                                              SHA1:3A5A41A190C1FB682F9D9C84F500FF50308617FC
                                                              SHA-256:E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
                                                              SHA-512:44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
                                                              Malicious:false
                                                              Preview:........................#.b...&.....:.g....7.....7.....7.....7|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

                                                              C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):290001
                                                              Entropy (8bit):7.9670215100557735
                                                              Encrypted:false
                                                              SSDEEP:6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
                                                              MD5:BF59A047984EAFC79E40B0011ED4116D
                                                              SHA1:DF747125F31F3FF7E3DFE5849F701C3483B32C5E
                                                              SHA-256:CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
                                                              SHA-512:85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
                                                              Malicious:false
                                                              Preview:........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L*....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N.*...N.+...Nv,...N.-...N;r...N.|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

                                                              C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1305142
                                                              Entropy (8bit):7.99463351416358
                                                              Encrypted:true
                                                              SSDEEP:24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
                                                              MD5:20DDA02AF522924E45223D7262D0E1ED
                                                              SHA1:378E88033A7083AAC24E6CD2144F7BC706F00837
                                                              SHA-256:8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
                                                              SHA-512:E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
                                                              Malicious:false
                                                              Preview:........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

                                                              C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:current ar archive
                                                              Category:dropped
                                                              Size (bytes):87182312
                                                              Entropy (8bit):5.477474753748716
                                                              Encrypted:false
                                                              SSDEEP:196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
                                                              MD5:FFD456A85E341D430AFA0C07C1068538
                                                              SHA1:59394310B45F7B2B2882D55ADD9310C692C7144F
                                                              SHA-256:F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
                                                              SHA-512:EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
                                                              Malicious:false
                                                              Preview:!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

                                                              C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):656926
                                                              Entropy (8bit):7.964275415195004
                                                              Encrypted:false
                                                              SSDEEP:12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
                                                              MD5:3404DD2B0E63D9418F755430336C7164
                                                              SHA1:0D7D8540FDC056BB741D9BAF2DC7A931C517C471
                                                              SHA-256:0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
                                                              SHA-512:685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
                                                              Malicious:false
                                                              Preview:..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;*....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...*<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

                                                              C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1017158
                                                              Entropy (8bit):7.951759131641406
                                                              Encrypted:false
                                                              SSDEEP:24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
                                                              MD5:3FBF52922588A52245DC927BCC36DBB3
                                                              SHA1:EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
                                                              SHA-256:C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
                                                              SHA-512:682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
                                                              Malicious:false
                                                              Preview:..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+*...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..*<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

                                                              C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):1174528
                                                              Entropy (8bit):6.475826085865088
                                                              Encrypted:false
                                                              SSDEEP:24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
                                                              MD5:207AC4BE98A6A5A72BE027E0A9904462
                                                              SHA1:D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
                                                              SHA-256:2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
                                                              SHA-512:BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2106216
                                                              Entropy (8bit):6.4563314852745375
                                                              Encrypted:false
                                                              SSDEEP:49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
                                                              MD5:1C9B45E87528B8BB8CFA884EA0099A85
                                                              SHA1:98BE17E1D324790A5B206E1EA1CC4E64FBE21240
                                                              SHA-256:2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
                                                              SHA-512:B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):4127200
                                                              Entropy (8bit):6.577665867424953
                                                              Encrypted:false
                                                              SSDEEP:49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
                                                              MD5:3B4647BCB9FEB591C2C05D1A606ED988
                                                              SHA1:B42C59F96FB069FD49009DFD94550A7764E6C97C
                                                              SHA-256:35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
                                                              SHA-512:00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):2205743
                                                              Entropy (8bit):7.923318114432295
                                                              Encrypted:false
                                                              SSDEEP:49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
                                                              MD5:54D4E14BFF05C268248CAB2EEDFB61DD
                                                              SHA1:33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
                                                              SHA-256:2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
                                                              SHA-512:5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
                                                              Malicious:false
                                                              Preview:........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[.*...[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\*....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....*\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\.*..>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

                                                              C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):10717392
                                                              Entropy (8bit):6.282534560973548
                                                              Encrypted:false
                                                              SSDEEP:196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
                                                              MD5:E0F1AD85C0933ECCE2E003A2C59AE726
                                                              SHA1:A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
                                                              SHA-256:F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
                                                              SHA-512:714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
                                                              Malicious:false
                                                              Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                              C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):377856
                                                              Entropy (8bit):6.602916265542373
                                                              Encrypted:false
                                                              SSDEEP:6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
                                                              MD5:8BC03B20348D4FEBE6AEDAA32AFBBF47
                                                              SHA1:B1843C83808D9C8FBA32181CD3A033C66648C685
                                                              SHA-256:CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
                                                              SHA-512:3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):6635008
                                                              Entropy (8bit):6.832077162910607
                                                              Encrypted:false
                                                              SSDEEP:196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
                                                              MD5:63988D35D7AB96823B5403BE3C110F7F
                                                              SHA1:8CC4D3F4D2F1A2285535706961A26D02595AF55C
                                                              SHA-256:E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
                                                              SHA-512:D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\libcef.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):176517632
                                                              Entropy (8bit):7.025874989859836
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:F5259CC7721CA2BCC8AC97B76B1D3C7A
                                                              SHA1:C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
                                                              SHA-256:3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
                                                              SHA-512:2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\libcef.lib

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:current ar archive
                                                              Category:dropped
                                                              Size (bytes):40258
                                                              Entropy (8bit):4.547436244061504
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:310744A0E10BD9C2C6F50C525E4447F9
                                                              SHA1:9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
                                                              SHA-256:E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
                                                              SHA-512:6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
                                                              Malicious:false
                                                              Preview:!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N|..N|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h*..h*..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):470498
                                                              Entropy (8bit):5.409080468053459
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:64F46DC20A140F2FA3D4677E7CD85DD1
                                                              SHA1:5A4102E3E34C1360F833507A48E61DFD31707377
                                                              SHA-256:BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
                                                              SHA-512:F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
                                                              Malicious:false
                                                              Preview:........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):763010
                                                              Entropy (8bit):4.909167677028143
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:3B0D0F3EC195A0796A6E2FAB0C282BFB
                                                              SHA1:6FCFCD102DE06A0095584A0186BD307AA49E49BD
                                                              SHA-256:F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
                                                              SHA-512:CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
                                                              Malicious:false
                                                              Preview:........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....|...........$.............................1.....}.........................................Z.................|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2*.....*.....*.....*.....+....",.....,

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):838413
                                                              Entropy (8bit):4.920788245468804
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:C70B71B05A8CA5B8243C951B96D67453
                                                              SHA1:DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
                                                              SHA-256:5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
                                                              SHA-512:E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.|...w.....y.....z.....|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).....*....z*.....*.....*....t+.....,....{,.....,....--

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):869469
                                                              Entropy (8bit):4.677916300869337
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:12A9400F521EC1D3975257B2061F5790
                                                              SHA1:100EA691E0C53B240C72EAEC15C84A686E808067
                                                              SHA-256:B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
                                                              SHA-512:31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
                                                              Malicious:false
                                                              Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1118348
                                                              Entropy (8bit):4.2989199535081895
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:89A24AF99D5592AB8964B701F13E1706
                                                              SHA1:2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
                                                              SHA-256:5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
                                                              SHA-512:60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
                                                              Malicious:false
                                                              Preview:........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).....*....6*.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):537139
                                                              Entropy (8bit):5.397688491907634
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:37B54705BD9620E69E7E9305CDFAC7AB
                                                              SHA1:D9059289D5A4CAB287F1F877470605ED6BBDA2C8
                                                              SHA-256:98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
                                                              SHA-512:42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
                                                              Malicious:false
                                                              Preview:........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................|...........".....>.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):545011
                                                              Entropy (8bit):5.844949195905198
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:65A2C2A73232AB1073E44E0FB6310A5F
                                                              SHA1:F3158AA527538819C93F57E2C778198A94416C98
                                                              SHA-256:E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
                                                              SHA-512:20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
                                                              Malicious:false
                                                              Preview:.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):496165
                                                              Entropy (8bit):5.446061543230436
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:A44EC6AAA456A6129FD820CA75E968BE
                                                              SHA1:9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
                                                              SHA-256:F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
                                                              SHA-512:947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
                                                              Malicious:false
                                                              Preview:........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.".....*...../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q.............................*.....q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):534726
                                                              Entropy (8bit):5.49306456316532
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:49CA708EBB7A4913C36F7461F094886B
                                                              SHA1:13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
                                                              SHA-256:8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
                                                              SHA-512:6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
                                                              Malicious:false
                                                              Preview:.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):950999
                                                              Entropy (8bit):4.76377388695373
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:9CBC320E39CFF7C29F61BD367C0BF3BB
                                                              SHA1:2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
                                                              SHA-256:E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
                                                              SHA-512:F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
                                                              Malicious:false
                                                              Preview:........)$..e.H...h.P...i.X...j.b...k.q...l.|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....|&.....&.....'.....'....;(....t(.....(....M).....)....;*....h*....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):430665
                                                              Entropy (8bit):5.517246002357965
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:0F1E2BC597771A8DB11D1D3AC59B84F3
                                                              SHA1:C1F782C550AC733852C6BED9AD62AB79FC004049
                                                              SHA-256:E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
                                                              SHA-512:07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
                                                              Malicious:false
                                                              Preview:.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[.......................*.....V.....a...........*.....l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):434598
                                                              Entropy (8bit):5.509004494756697
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:FEAB603B4C7520CCFA84D48B243B1EC0
                                                              SHA1:E04138F1C2928D8EECE6037025B4DA2995F13CB4
                                                              SHA-256:C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
                                                              SHA-512:E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
                                                              Malicious:false
                                                              Preview:.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):524728
                                                              Entropy (8bit):5.377464936206393
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:32A59B6D9C8CA99FBD77CAA2F586509A
                                                              SHA1:7E8356D940D4D4CC2E673460483656915AA59893
                                                              SHA-256:AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
                                                              SHA-512:860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
                                                              Malicious:false
                                                              Preview:........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):523181
                                                              Entropy (8bit):5.356449408331279
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:3D1720FE1D801D54420438A54CBE1547
                                                              SHA1:8B1B0735AE0E473858C59C54111697609831D65A
                                                              SHA-256:AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
                                                              SHA-512:C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
                                                              Malicious:false
                                                              Preview:........5$..e.`...h.h...i.p...j.|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z...........*.....f.....{...........o.................g...........+.....P.................8.....N.................".....1.................*.....@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):475733
                                                              Entropy (8bit):5.456553040437113
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:C00D66D3FD4FD9D777949E2F115F11FB
                                                              SHA1:A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
                                                              SHA-256:26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
                                                              SHA-512:E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
                                                              Malicious:false
                                                              Preview:........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):773397
                                                              Entropy (8bit):5.04618630633187
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:C998140F7970B81117B073A87430A748
                                                              SHA1:8A6662C3AABDAC68083A4D00862205689008110C
                                                              SHA-256:182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
                                                              SHA-512:5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M*....p*.....*....n+.....+.....+....d,.....-....P-....x-

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):483378
                                                              Entropy (8bit):5.428549632880935
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:1CFD31A6B740D95E4D5D53432743EBF1
                                                              SHA1:20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
                                                              SHA-256:F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
                                                              SHA-512:C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...|.b...}.t.....|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):546749
                                                              Entropy (8bit):5.197094281578282
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:6EDA0CD3C7D513AAB9856EC504C7D16F
                                                              SHA1:BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
                                                              SHA-256:3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
                                                              SHA-512:47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
                                                              Malicious:false
                                                              Preview:.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):568277
                                                              Entropy (8bit):5.380723339968972
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:D185162DF4CAC9DCE7D70926099D1CF1
                                                              SHA1:46594ADB3FC06A090675CA48FFA943E299874BBD
                                                              SHA-256:E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
                                                              SHA-512:987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
                                                              Malicious:false
                                                              Preview:.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1103776
                                                              Entropy (8bit):4.336526106451521
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:44F704DB17F0203FA5195DC4572C946C
                                                              SHA1:205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
                                                              SHA-256:4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
                                                              SHA-512:3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
                                                              Malicious:false
                                                              Preview:........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):681555
                                                              Entropy (8bit):4.658620623200349
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:E75086A24ECAA25CD18D547AB041C65A
                                                              SHA1:C88CE46E6321E4A21032308DFD72C272FB267DBD
                                                              SHA-256:55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
                                                              SHA-512:01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
                                                              Malicious:false
                                                              Preview:.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1167065
                                                              Entropy (8bit):4.308980564019689
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:1FF8A0B82218A956D2701A5E4BFA84EF
                                                              SHA1:56BB8218963E14ADCC435F2455891F3A0453D053
                                                              SHA-256:62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
                                                              SHA-512:3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y.....*.....}...........;...................................*.....[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6*.....*.....*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):526575
                                                              Entropy (8bit):5.518614920030561
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:0BD2F9847C151F9A6FC0D59A0074770C
                                                              SHA1:EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
                                                              SHA-256:5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
                                                              SHA-512:0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
                                                              Malicious:false
                                                              Preview:........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):566819
                                                              Entropy (8bit):5.6387082185760935
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:4C27A1C79AB9A058C0A7DFFD22134AFD
                                                              SHA1:5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
                                                              SHA-256:AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
                                                              SHA-512:0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
                                                              Malicious:false
                                                              Preview:.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.................*.................*...........".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):466959
                                                              Entropy (8bit):5.379636778781472
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:1466C484179769A2263542E943742E59
                                                              SHA1:18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
                                                              SHA-256:C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
                                                              SHA-512:ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
                                                              Malicious:false
                                                              Preview:........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....|.......................C.....b.....r...........1.....h.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):522800
                                                              Entropy (8bit):5.284113957149261
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:7767A70358D0AE6D408FF979DF9B2CD4
                                                              SHA1:9C57A5B068DC12AAF1591778DEF5D3696377EDAB
                                                              SHA-256:672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
                                                              SHA-512:913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
                                                              Malicious:false
                                                              Preview:........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2...........*.......................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x.................*.............................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):634636
                                                              Entropy (8bit):5.718480148171718
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:4A4AF69546DCF65F2D722A574E221BEA
                                                              SHA1:EE51613F111CF5B06F5605B629952EFFE0350870
                                                              SHA-256:7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
                                                              SHA-512:0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
                                                              Malicious:false
                                                              Preview:........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U...........*.....d.....z....."...........*.....?...........X.................`.................@.................g............ ..... ..... .....

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1256908
                                                              Entropy (8bit):4.247594585839553
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:6A41A5AB03A22BDAEC7985B9A75EC11A
                                                              SHA1:6BB02DF557BD6522E02FE026C0243BEB9332B2E5
                                                              SHA-256:E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
                                                              SHA-512:BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
                                                              Malicious:false
                                                              Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[.................................................................*.....u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N*.....*.....*.....,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):532715
                                                              Entropy (8bit):6.0824169765918725
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:5FD9942F57FFC499481947DB0C3FDFA7
                                                              SHA1:4D60AB21305902877467FF6151C1B7AB12553AAE
                                                              SHA-256:09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
                                                              SHA-512:97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
                                                              Malicious:false
                                                              Preview:........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):573015
                                                              Entropy (8bit):5.63016577624216
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:8745B87D09D9ECC1112C60F5DD934034
                                                              SHA1:2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
                                                              SHA-256:D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
                                                              SHA-512:27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
                                                              Malicious:false
                                                              Preview:........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):570683
                                                              Entropy (8bit):5.624052036286866
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:E16B0B814074ACBD3A72AF677AC7BE84
                                                              SHA1:10744490B3E40BEB939B3FDCA411075A85A34794
                                                              SHA-256:46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
                                                              SHA-512:70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
                                                              Malicious:false
                                                              Preview:........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1307271
                                                              Entropy (8bit):4.279854356980692
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:309E068B4E15157486D095301370B234
                                                              SHA1:D962CDAF9361767045A928966F4323EAD22D9B37
                                                              SHA-256:4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
                                                              SHA-512:6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
                                                              Malicious:false
                                                              Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................|............ ..... .....!.....!....*".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....).....*.....*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1075591
                                                              Entropy (8bit):4.313573412022857
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:69C36C23D6D9841F4362FF3A0F86CFDF
                                                              SHA1:C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
                                                              SHA-256:6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
                                                              SHA-512:8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
                                                              Malicious:false
                                                              Preview:.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).....*....y*.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):489457
                                                              Entropy (8bit):5.250540323172458
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:A1253E64F8910162B15B56883798E3C0
                                                              SHA1:68D402D94D2145704DC3760914BF616CC71FC65D
                                                              SHA-256:E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
                                                              SHA-512:ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
                                                              Malicious:false
                                                              Preview:........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):476208
                                                              Entropy (8bit):5.4272499712806965
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:622ED80836E0EF3F949ED8A379CBE6DF
                                                              SHA1:9A94CD80E747B88582470EF49B7337B9E5DE6C28
                                                              SHA-256:560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
                                                              SHA-512:950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
                                                              Malicious:false
                                                              Preview:........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):491139
                                                              Entropy (8bit):5.362822162782947
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:C8378A81039DB6943F97286CC8C629F1
                                                              SHA1:758D9AB331C394709F097361612C6D44BDE4E8FE
                                                              SHA-256:318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
                                                              SHA-512:6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
                                                              Malicious:false
                                                              Preview:.........$..e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):550453
                                                              Entropy (8bit):5.757462673735937
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:80C5893068C1D6CE9AEF23525ECAD83C
                                                              SHA1:A2A7ADEE70503771483A2500786BF0D707B3DF6B
                                                              SHA-256:0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
                                                              SHA-512:3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
                                                              Malicious:false
                                                              Preview:........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):516256
                                                              Entropy (8bit):5.426294949123783
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:3BA426E91C34E1C33F13912974835F7D
                                                              SHA1:467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
                                                              SHA-256:CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
                                                              SHA-512:824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
                                                              Malicious:false
                                                              Preview:........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):518861
                                                              Entropy (8bit):5.4029194034596575
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:4D7D724BE592BD0280ED28388EAA8D43
                                                              SHA1:8E3C46B77639EB480A90AD27383FBB14C4176960
                                                              SHA-256:4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
                                                              SHA-512:D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
                                                              Malicious:false
                                                              Preview:........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....|...........J.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):537125
                                                              Entropy (8bit):5.4566742297332596
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:4F1C0A8632218F6FEF6BAB0917BEB84F
                                                              SHA1:05E497C8525CB1ADE6A0DAEFE09370EC45176E35
                                                              SHA-256:9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
                                                              SHA-512:A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
                                                              Malicious:false
                                                              Preview:........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):878725
                                                              Entropy (8bit):4.848685093578222
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:3A3D0D865A78399306924D3ED058274E
                                                              SHA1:AA1A42DB6021666B2297A65094D29978792CE29B
                                                              SHA-256:EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
                                                              SHA-512:ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
                                                              Malicious:false
                                                              Preview:.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]*.....*.....+....$+.....+.....,.....-

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):553886
                                                              Entropy (8bit):5.812150703289796
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:A9656846F66A36BB399B65F7B702B47D
                                                              SHA1:4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
                                                              SHA-256:02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
                                                              SHA-512:7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
                                                              Malicious:false
                                                              Preview:........5$..e.`...h.h...i.|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):532410
                                                              Entropy (8bit):5.486224954097277
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:BE49BB186EF62F55E27FF6B5FD5933F4
                                                              SHA1:84CFD05C52A09B4E6FA62ADCAF71585538CF688E
                                                              SHA-256:833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
                                                              SHA-512:1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
                                                              Malicious:false
                                                              Preview:.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):818089
                                                              Entropy (8bit):4.779985663253385
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:AFA2DFBA3BD71FE0307BFFB647CDCD98
                                                              SHA1:CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
                                                              SHA-256:1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
                                                              SHA-512:CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
                                                              Malicious:false
                                                              Preview:........=$|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):479512
                                                              Entropy (8bit):5.541069475898216
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:09592A0D35100CD9707C278C9FFC7618
                                                              SHA1:B23EEF11D7521721A7D6742202209E4FE0539566
                                                              SHA-256:9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
                                                              SHA-512:E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
                                                              Malicious:false
                                                              Preview:.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):504856
                                                              Entropy (8bit):5.34516819438501
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:9E038A0D222055FED6F1883992DCA5A8
                                                              SHA1:8FA17648492D7F093F89E8E98BF29C3725E3B4B5
                                                              SHA-256:DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
                                                              SHA-512:FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
                                                              Malicious:false
                                                              Preview:........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1298313
                                                              Entropy (8bit):4.058495187693592
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:36104CB0D5E26E0BBB313E529C14F4B4
                                                              SHA1:69A509DEE8419DA719DCF6DE78BFE0A6737508C5
                                                              SHA-256:DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
                                                              SHA-512:D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
                                                              Malicious:false
                                                              Preview:.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4*.....*.....*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1199612
                                                              Entropy (8bit):4.314031920337284
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:98714389748A98ECC536CD2F17859BDF
                                                              SHA1:07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
                                                              SHA-256:8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
                                                              SHA-512:38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
                                                              Malicious:false
                                                              Preview:........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...|.]...}.o.....w.....|.......................................................................X...........J...........|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....*$....k$.....%.....&....6'.....'.....(.....).....*...._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):1008989
                                                              Entropy (8bit):4.356501290091745
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:56F29DE3465795E781A52FCF736BBE08
                                                              SHA1:EAA406E5ED938468760A29D18C8C3F16CF142472
                                                              SHA-256:529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
                                                              SHA-512:519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
                                                              Malicious:false
                                                              Preview:........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....).....*.....*.....+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):515329
                                                              Entropy (8bit):5.616482888977033
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:46CA9EE922C3C175DE466066F40B29CE
                                                              SHA1:5563E236A15CD9CC44AE859165DF1E4E722936C7
                                                              SHA-256:BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
                                                              SHA-512:45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
                                                              Malicious:false
                                                              Preview:........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...|.|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):876131
                                                              Entropy (8bit):4.88404350774067
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:1365ABDD1EFB44720EA3975E4A472530
                                                              SHA1:8421FC4905C592EB1269C5D524AA46866D617D3C
                                                              SHA-256:29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
                                                              SHA-512:2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):765853
                                                              Entropy (8bit):5.17061834928747
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:3FED15E64BEAFBA75DE61B08A45AE106
                                                              SHA1:E24953271D8C0254AD011D3A65B2C2FA57903681
                                                              SHA-256:B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
                                                              SHA-512:3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
                                                              Malicious:false
                                                              Preview:........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s.......................*.....p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3*.....*.....*....]+.....+.....,....F,.....,....z-.....-

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):609259
                                                              Entropy (8bit):5.796202390024141
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:CD741C24AF7597E0DC11069D3AC324E0
                                                              SHA1:2A883DFBCF48D5093D70D4B77BBFFFA521287334
                                                              SHA-256:13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
                                                              SHA-512:6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
                                                              Malicious:false
                                                              Preview:.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.*...s.;...t.D...v.Y...w.f...y.l...z.{...|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._.................*.................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):441207
                                                              Entropy (8bit):6.685712707138377
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:99E6ACFB46923C4F8B29058E9EE6166B
                                                              SHA1:AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
                                                              SHA-256:9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
                                                              SHA-512:4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
                                                              Malicious:false
                                                              Preview:.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................|.......................x.

                                                              C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):439630
                                                              Entropy (8bit):6.6906570508767995
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:BB7C995F257B9125457381BB01856D72
                                                              SHA1:21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
                                                              SHA-256:F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
                                                              SHA-512:5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
                                                              Malicious:false
                                                              Preview:.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

                                                              C:\Users\user\AppData\Roaming\GamePall\log4net.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):275968
                                                              Entropy (8bit):5.778490068583466
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:7EA1429E71D83A1CCAA0942C4D7F1C41
                                                              SHA1:4CE6ACF4D735354B98F416B3D94D89AF0611E563
                                                              SHA-256:EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
                                                              SHA-512:91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>..*..?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}....*...0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4....*.........//........{....*"..}....*..{....*....0..4..........%...(5....-.~....r?..p(....+...}.......,..(6....*........')........{....*..{....*"..}....*.*..{....*"..}....*.0..........

                                                              C:\Users\user\AppData\Roaming\GamePall\log4net.xml

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):1547797
                                                              Entropy (8bit):4.370092880615517
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:32AB4E0A9A82245EE3B474EF811F558F
                                                              SHA1:9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
                                                              SHA-256:9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
                                                              SHA-512:A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
                                                              Malicious:false
                                                              Preview:<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

                                                              C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):342741
                                                              Entropy (8bit):5.496697631795104
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:A58DB728B50E6B82CBDCAA0DB61D36B1
                                                              SHA1:7CD76526CB29A0FF5350A2B52D48D1886360458B
                                                              SHA-256:BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
                                                              SHA-512:0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
                                                              Malicious:false
                                                              Preview:..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

                                                              C:\Users\user\AppData\Roaming\GamePall\resources.pak

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):8226870
                                                              Entropy (8bit):7.996842728494533
                                                              Encrypted:true
                                                              SSDEEP:
                                                              MD5:F7EC58AEA756F3FD8A055AC582103A78
                                                              SHA1:086B63691F5E5375A537E99E062345F56512A22C
                                                              SHA-256:517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
                                                              SHA-512:C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
                                                              Malicious:false
                                                              Preview:............f.6:..{..D..|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

                                                              C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):276319
                                                              Entropy (8bit):4.242318669799302
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:8234983533FA47D2A1D7710FF8274299
                                                              SHA1:E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
                                                              SHA-256:F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
                                                              SHA-512:1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
                                                              Malicious:false
                                                              Preview:.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\start.bat

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:ASCII text, with no line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.8731406795131327
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:2C66F3C2190A84FAFD4449DAF6440EAC
                                                              SHA1:7B9E4C94329FE26C34E63AB8336227FD5EB553E9
                                                              SHA-256:58EB97E30289A3FCAE270DBCC01258A862936350CB0EF781AE76D6A9444C0155
                                                              SHA-512:62713209575426CE503605C6F451E9DFB025BE0295F0A453614862CE390F5987F0E16BAE6B37B4B1A7330A7CB5AA31249F8CF58DE37B8B701C16881E4E4E61C1
                                                              Malicious:false
                                                              Preview:start GamePall.exe OuWe5kl

                                                              C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:MSVC program database ver 7.00, 512*4023 bytes
                                                              Category:dropped
                                                              Size (bytes):2059776
                                                              Entropy (8bit):4.067542396670122
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:70F9EAEA8A2A604E59F72EDE66F83AB4
                                                              SHA1:0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
                                                              SHA-256:38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
                                                              SHA-512:47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
                                                              Malicious:false
                                                              Preview:Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):346624
                                                              Entropy (8bit):6.54104466243173
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:7A53AD3E5D2E65C982450E7B7453DE8A
                                                              SHA1:99F27E54F1F61207C02110CAC476405557A8AD54
                                                              SHA-256:24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
                                                              SHA-512:2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):2445312
                                                              Entropy (8bit):6.750207745422387
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:334C3157E63A34B22CCE25A44A04835F
                                                              SHA1:C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
                                                              SHA-256:3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
                                                              SHA-512:11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:data
                                                              Category:dropped
                                                              Size (bytes):631017
                                                              Entropy (8bit):5.144793130466209
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:0794DF29DF8DFC3ECE5C443F864F5AEB
                                                              SHA1:BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
                                                              SHA-256:3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
                                                              SHA-512:0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
                                                              Malicious:false
                                                              Preview:..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):4400640
                                                              Entropy (8bit):6.667314807988382
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:7F913E31D00082338F073EF60D67B335
                                                              SHA1:AC831B45F2A32E23BA9046044508E47E04CDA3A4
                                                              SHA-256:B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
                                                              SHA-512:E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:JSON data
                                                              Category:dropped
                                                              Size (bytes):106
                                                              Entropy (8bit):4.724752649036734
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                              SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                              SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                              SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                              Malicious:false
                                                              Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                              C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):826368
                                                              Entropy (8bit):6.78646032943732
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:A031EB19C61942A26EF74500AD4B42DF
                                                              SHA1:FDC6EA473234F153639E963E8EFB8D028DA1BE20
                                                              SHA-256:207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
                                                              SHA-512:80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

                                                              Download File
                                                              Process:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):211456
                                                              Entropy (8bit):6.566524833521835
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:6D7FD214164C858BBCF4AA050C114E8C
                                                              SHA1:B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
                                                              SHA-256:3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
                                                              SHA-512:0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
                                                              Malicious:false
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\tvgrbbh

                                                              Download File
                                                              Process:C:\Windows\explorer.exe
                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Category:dropped
                                                              Size (bytes):228352
                                                              Entropy (8bit):6.35123662069052
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:43374E1BE56C3C5DD78A770C46C48A31
                                                              SHA1:BD7D391C1D62384558482DE36C298855539DAA7B
                                                              SHA-256:E33636849F3662796F4CE6584C06729EB6E1DF305C700A8A12890C831488C533
                                                              SHA-512:6FA3459260217AB935F139BF45C8ED632905EB5E934C70B4B0FFA0C082845F044DFBB676B3098502BBEB2BB9238516D8D8B945604B5B75AC206622B9B3BB9CE0
                                                              Malicious:true
                                                              Antivirus:
                                                              • Antivirus: ReversingLabs, Detection: 37%
                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........dc...0...0...0...0...0...0...0...0...0..0...0...0...0...0...0...0...0...0...0Rich...0................PE..L...._[d.................6...&}......'.......P....@.........................................................................T|..x.....~.XR...........................|...............................u..@............P...............................text...04.......6.................. ..`.rdata...6...P...8...:..............@..@.data.....|..........r..............@....rsrc...XR....~..T...(..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                              C:\Users\user\AppData\Roaming\tvgrbbh:Zone.Identifier

                                                              Download File
                                                              Process:C:\Windows\explorer.exe
                                                              File Type:ASCII text, with CRLF line terminators
                                                              Category:dropped
                                                              Size (bytes):26
                                                              Entropy (8bit):3.95006375643621
                                                              Encrypted:false
                                                              SSDEEP:
                                                              MD5:187F488E27DB4AF347237FE461A079AD
                                                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                              Malicious:true
                                                              Preview:[ZoneTransfer]....ZoneId=0

                                                              Static File Info

                                                              General

                                                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                              Entropy (8bit):6.35123662069052
                                                              TrID:
                                                              • Win32 Executable (generic) a (10002005/4) 99.96%
                                                              • Generic Win/DOS Executable (2004/3) 0.02%
                                                              • DOS Executable Generic (2002/1) 0.02%
                                                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                              File name:file.exe
                                                              File size:228'352 bytes
                                                              MD5:43374e1be56c3c5dd78a770c46c48a31
                                                              SHA1:bd7d391c1d62384558482de36c298855539daa7b
                                                              SHA256:e33636849f3662796f4ce6584c06729eb6e1df305c700a8a12890c831488c533
                                                              SHA512:6fa3459260217ab935f139bf45c8ed632905eb5e934c70b4b0ffa0c082845f044dfbb676b3098502bbeb2bb9238516d8d8b945604b5b75ac206622b9b3bb9ce0
                                                              SSDEEP:3072:D/84BoZMyeq6umq/4OnypXk47nOmtf7f3f8QPhpheqtfUMj/HL:DZkMqpmq/7SXkUOmFv8QPhXeqtvj/
                                                              TLSH:8624C0317790D031D1672D3069B1CAB22E7B783253B4808FB7B8A77E6E603D06A79756
                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........dc...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0Rich...0................PE..L...._[d...........

                                                              File Icon

                                                              Icon Hash:63796de971437e0f

                                                              Static PE Info

                                                              General

                                                              Entrypoint:0x402786
                                                              Entrypoint Section:.text
                                                              Digitally signed:false
                                                              Imagebase:0x400000
                                                              Subsystem:windows gui
                                                              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                              DLL Characteristics:NX_COMPAT, TERMINAL_SERVER_AWARE
                                                              Time Stamp:0x645B5FF4 [Wed May 10 09:12:20 2023 UTC]
                                                              TLS Callbacks:
                                                              CLR (.Net) Version:
                                                              OS Version Major:5
                                                              OS Version Minor:1
                                                              File Version Major:5
                                                              File Version Minor:1
                                                              Subsystem Version Major:5
                                                              Subsystem Version Minor:1
                                                              Import Hash:551201303920b450eb819c22e3470d5f

                                                              Entrypoint Preview

                                                              Instruction
                                                              call 00007FC92CBF2E08h
                                                              jmp 00007FC92CBEE34Eh
                                                              push edi
                                                              mov eax, esi
                                                              and eax, 0Fh
                                                              test eax, eax
                                                              jne 00007FC92CBEE587h
                                                              mov edx, ecx
                                                              and ecx, 7Fh
                                                              shr edx, 07h
                                                              je 00007FC92CBEE527h
                                                              jmp 00007FC92CBEE4C8h
                                                              lea ebx, dword ptr [ebx+00000000h]
                                                              movdqa xmm0, dqword ptr [esi]
                                                              movdqa xmm1, dqword ptr [esi+10h]
                                                              movdqa xmm2, dqword ptr [esi+20h]
                                                              movdqa xmm3, dqword ptr [esi+30h]
                                                              movdqa dqword ptr [edi], xmm0
                                                              movdqa dqword ptr [edi+10h], xmm1
                                                              movdqa dqword ptr [edi+20h], xmm2
                                                              movdqa dqword ptr [edi+30h], xmm3
                                                              movdqa xmm4, dqword ptr [esi+40h]
                                                              movdqa xmm5, dqword ptr [esi+50h]
                                                              movdqa xmm6, dqword ptr [esi+60h]
                                                              movdqa xmm7, dqword ptr [esi+70h]
                                                              movdqa dqword ptr [edi+40h], xmm4
                                                              movdqa dqword ptr [edi+50h], xmm5
                                                              movdqa dqword ptr [edi+60h], xmm6
                                                              movdqa dqword ptr [edi+70h], xmm7
                                                              lea esi, dword ptr [esi+00000080h]
                                                              lea edi, dword ptr [edi+00000080h]
                                                              dec edx
                                                              jne 00007FC92CBEE465h
                                                              test ecx, ecx
                                                              je 00007FC92CBEE50Bh
                                                              mov edx, ecx
                                                              shr edx, 04h
                                                              test edx, edx
                                                              je 00007FC92CBEE4D9h
                                                              lea ebx, dword ptr [ebx+00000000h]
                                                              movdqa xmm0, dqword ptr [esi]
                                                              movdqa dqword ptr [edi], xmm0
                                                              lea esi, dword ptr [esi+10h]
                                                              lea edi, dword ptr [edi+10h]
                                                              dec edx
                                                              jne 00007FC92CBEE4B1h
                                                              and ecx, 0Fh
                                                              je 00007FC92CBEE4E6h
                                                              mov eax, ecx
                                                              shr ecx, 02h
                                                              je 00007FC92CBEE4CFh
                                                              mov edx, dword ptr [esi]
                                                              mov dword ptr [edi], edx
                                                              lea esi, dword ptr [esi+04h]
                                                              lea edi, dword ptr [edi+04h]
                                                              dec ecx
                                                              jne 00007FC92CBEE4B5h
                                                              mov ecx, eax
                                                              and ecx, 00000000h

                                                              Rich Headers

                                                              Programming Language:
                                                              • [C++] VS2010 build 30319
                                                              • [ASM] VS2010 build 30319
                                                              • [ C ] VS2010 build 30319
                                                              • [IMP] VS2008 SP1 build 30729
                                                              • [RES] VS2010 build 30319
                                                              • [LNK] VS2010 build 30319

                                                              Data Directories

                                                              NameVirtual AddressVirtual Size Is in Section
                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x27c540x78.rdata
                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x27eb0000x5258.rsrc
                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x27ccc0x1c.rdata
                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x275e80x40.rdata
                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_IAT0x250000x1a4.rdata
                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                              Sections

                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                              .text0x10000x234300x236007d05f6b858368448e9e06d9e3d769effFalse0.8265169500883393data7.617708599696731IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                              .rdata0x250000x36080x3800bd0c40f239be0d91967d7d1ef10d10afFalse0.3573521205357143data4.902091127454568IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                              .data0x290000x27c1a840xb6009222775c902bd9b67bf0418d5e98a286unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                              .rsrc0x27eb0000x52580x54002df50dfd51b021e05dc90f4ba91e6d82False0.4907924107142857data4.69545463044667IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                              Resources

                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                              LUCE0x27ee3580x136fASCII text, with very long lines (4975), with no line terminatorsJapaneseJapan0.5971859296482412
                                                              RT_ICON0x27eb2500x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0JapaneseJapan0.5345622119815668
                                                              RT_ICON0x27eb9180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0JapaneseJapan0.4178423236514523
                                                              RT_ICON0x27edec00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0JapaneseJapan0.45656028368794327
                                                              RT_STRING0x27ef9600x582dataJapaneseJapan0.4475177304964539
                                                              RT_STRING0x27efee80x108dataJapaneseJapan0.5795454545454546
                                                              RT_STRING0x27efff00x266dataJapaneseJapan0.4804560260586319
                                                              RT_GROUP_ICON0x27ee3280x30dataJapaneseJapan0.9375
                                                              RT_VERSION0x27ef6c80x294OpenPGP Secret Key0.5212121212121212

                                                              Imports

                                                              DLLImport
                                                              KERNEL32.dllGetConsoleAliasesLengthW, CommConfigDialogA, SetEndOfFile, InterlockedDecrement, CreateDirectoryW, WriteConsoleInputA, GetWindowsDirectoryA, TlsSetValue, GlobalFindAtomA, LoadLibraryW, IsBadStringPtrA, ReplaceFileA, GlobalUnlock, SetLastError, GetProcAddress, SetFileAttributesA, GetDiskFreeSpaceW, FindResourceA, LocalAlloc, AddVectoredExceptionHandler, GlobalGetAtomNameW, OpenJobObjectW, EnumResourceTypesW, GetOEMCP, LoadLibraryExA, OpenFileMappingW, TerminateJobObject, CreateFileW, FlushFileBuffers, HeapReAlloc, WriteConsoleW, SetStdHandle, RaiseException, HeapSize, CreateFileA, LoadLibraryA, GetDateFormatW, GetStringTypeW, LCMapStringW, MultiByteToWideChar, GetModuleHandleW, ExitProcess, DecodePointer, GetCommandLineA, HeapSetInformation, GetStartupInfoW, IsProcessorFeaturePresent, HeapAlloc, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetLastError, HeapFree, GetCPInfo, InterlockedIncrement, GetACP, IsValidCodePage, TlsAlloc, TlsGetValue, TlsFree, GetCurrentThreadId, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameW, GetModuleFileNameA, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, SetHandleCount, GetFileType, HeapCreate, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetConsoleCP, GetConsoleMode, Sleep, RtlUnwind, CloseHandle
                                                              USER32.dllGetKeyboardLayoutNameA, SetMessageExtraInfo, GetCaretPos, InsertMenuItemW, CharUpperBuffW, DdeKeepStringHandle, GetClassInfoW
                                                              GDI32.dllGetTextMetricsA, GetCharWidthA
                                                              ole32.dllCoSuspendClassObjects, CoMarshalHresult
                                                              WINHTTP.dllWinHttpCheckPlatform

                                                              Possible Origin

                                                              Language of compilation systemCountry where language is spokenMap
                                                              JapaneseJapan

                                                              Network Behavior

                                                              Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                              Statistics

                                                              CPU Usage

                                                              Click to jump to process

                                                              Memory Usage

                                                              Click to jump to process

                                                              High Level Behavior Distribution

                                                              Click to dive into process behavior distribution

                                                              Behavior

                                                              Click to jump to process

                                                              System Behavior

                                                              General

                                                              Target ID:0
                                                              Start time:12:22:39
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\Desktop\file.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\Desktop\file.exe"
                                                              Imagebase:0x400000
                                                              File size:228'352 bytes
                                                              MD5 hash:43374E1BE56C3C5DD78A770C46C48A31
                                                              Has elevated privileges:true
                                                              Has administrator privileges:true
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2074082205.0000000004861000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2074046706.0000000004840000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:2
                                                              Start time:12:22:45
                                                              Start date:03/07/2024
                                                              Path:C:\Windows\explorer.exe
                                                              Wow64 process (32bit):false
                                                              Commandline:C:\Windows\Explorer.EXE
                                                              Imagebase:0x7ff674740000
                                                              File size:5'141'208 bytes
                                                              MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:high
                                                              Has exited:false

                                                              General

                                                              Target ID:4
                                                              Start time:12:23:04
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\tvgrbbh
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Roaming\tvgrbbh
                                                              Imagebase:0x400000
                                                              File size:228'352 bytes
                                                              MD5 hash:43374E1BE56C3C5DD78A770C46C48A31
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2308869402.0000000002C70000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                              • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                              • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.2308952172.0000000002DB1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                              • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.2309055682.0000000002E6E000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
                                                              Antivirus matches:
                                                              • Detection: 37%, ReversingLabs
                                                              Reputation:low
                                                              Has exited:true

                                                              General

                                                              Target ID:5
                                                              Start time:12:23:19
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\263.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Local\Temp\263.exe
                                                              Imagebase:0xd80000
                                                              File size:6'642'176 bytes
                                                              MD5 hash:BD2EAC64CBDED877608468D86786594A
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2469202741.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2453265148.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2472656065.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2469729553.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2442545609.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2483423717.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2470824131.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2469729553.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2470272169.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2470824131.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2468406053.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2468406053.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2454270658.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2470272169.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2483276485.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2442768561.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2468180079.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2468180079.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2453693176.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2469202741.0000000000CA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2430706446.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2483243871.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2429925382.0000000000CAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000003.2472656065.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 68%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:8
                                                              Start time:12:23:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Local\Temp\3D69.exe
                                                              Imagebase:0x400000
                                                              File size:293'869 bytes
                                                              MD5 hash:60172CA946DE57C3529E9F05CC502870
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 21%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:9
                                                              Start time:12:23:38
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\698B.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Local\Temp\698B.exe
                                                              Imagebase:0x620000
                                                              File size:578'048 bytes
                                                              MD5 hash:DA4B6F39FC024D2383D4BFE7F67F1EE1
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Yara matches:
                                                              • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                              • Rule: JoeSecurity_PovertyStealer, Description: Yara detected Poverty Stealer, Source: 00000009.00000002.3454319928.0000000000C0C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                              Antivirus matches:
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 42%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:10
                                                              Start time:12:24:53
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Local\Temp\setup.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Local\Temp\setup.exe"
                                                              Imagebase:0x400000
                                                              File size:107'232'830 bytes
                                                              MD5 hash:FF2293FBFF53F4BD2BFF91780FABFD60
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 3%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:11
                                                              Start time:12:25:26
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Imagebase:0x320000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Antivirus matches:
                                                              • Detection: 100%, Avira
                                                              • Detection: 100%, Joe Sandbox ML
                                                              • Detection: 3%, ReversingLabs
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:13
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3516 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
                                                              Imagebase:0xb30000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:14
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xae0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:false

                                                              General

                                                              Target ID:15
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3732 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                              Imagebase:0xd60000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:16
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=4064 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
                                                              Imagebase:0x750000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Reputation:moderate
                                                              Has exited:true

                                                              General

                                                              Target ID:17
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451895126 --mojo-platform-channel-handle=2284 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                              Imagebase:0x8e0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:18
                                                              Start time:12:25:32
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (Linux; Android 10; STK-L21) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.133 Mobile Safari/537.36" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1720019080238565 --launch-time-ticks=5451915685 --mojo-platform-channel-handle=4032 --field-trial-handle=3520,i,255411136791549311,11110477984056802424,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
                                                              Imagebase:0x4d0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:19
                                                              Start time:12:25:33
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x360000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:20
                                                              Start time:12:25:33
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xef0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:21
                                                              Start time:12:25:33
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xf10000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:22
                                                              Start time:12:25:36
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xe50000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:23
                                                              Start time:12:25:37
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x570000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:24
                                                              Start time:12:25:37
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x5b0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:25
                                                              Start time:12:25:37
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x7ff6a5670000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:26
                                                              Start time:12:25:39
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x8b0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:27
                                                              Start time:12:25:39
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x730000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:28
                                                              Start time:12:25:40
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x860000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:29
                                                              Start time:12:25:41
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x2f0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:30
                                                              Start time:12:25:43
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x8b0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:31
                                                              Start time:12:25:44
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x680000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:32
                                                              Start time:12:25:44
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xcf0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:33
                                                              Start time:12:25:45
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xd10000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:34
                                                              Start time:12:25:45
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xf30000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:35
                                                              Start time:12:25:46
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x670000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              General

                                                              Target ID:36
                                                              Start time:12:25:46
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x800000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:37
                                                              Start time:12:25:46
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0x100000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:38
                                                              Start time:12:25:47
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xde0000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:true

                                                              General

                                                              Target ID:39
                                                              Start time:12:25:47
                                                              Start date:03/07/2024
                                                              Path:C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
                                                              Wow64 process (32bit):true
                                                              Commandline:"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
                                                              Imagebase:0xd10000
                                                              File size:296'448 bytes
                                                              MD5 hash:7A3502C1119795D35569535DE243B6FE
                                                              Has elevated privileges:false
                                                              Has administrator privileges:false
                                                              Programmed in:C, C++ or other language
                                                              Has exited:false

                                                              Disassembly

                                                              Reset < >

                                                                Execution Graph

                                                                Execution Coverage:7.9%
                                                                Dynamic/Decrypted Code Coverage:29.3%
                                                                Signature Coverage:64.6%
                                                                Total number of Nodes:99
                                                                Total number of Limit Nodes:2
                                                                execution_graph 3641 401543 3642 401546 3641->3642 3643 4015e6 NtDuplicateObject 3642->3643 3645 401702 3642->3645 3644 401603 NtCreateSection 3643->3644 3643->3645 3646 401683 NtCreateSection 3644->3646 3647 401629 NtMapViewOfSection 3644->3647 3646->3645 3649 4016af 3646->3649 3647->3646 3648 40164c NtMapViewOfSection 3647->3648 3648->3646 3652 40166a 3648->3652 3649->3645 3650 4016b9 NtMapViewOfSection 3649->3650 3650->3645 3651 4016e0 NtMapViewOfSection 3650->3651 3651->3645 3652->3646 3709 402e63 3711 402e67 3709->3711 3710 401918 8 API calls 3712 402f44 3710->3712 3711->3710 3711->3712 3701 401924 3702 401929 3701->3702 3703 40195e Sleep 3702->3703 3704 401979 3703->3704 3705 401538 7 API calls 3704->3705 3706 40198a 3704->3706 3705->3706 3570 402fe9 3571 403140 3570->3571 3572 403013 3570->3572 3572->3571 3573 4030ce RtlCreateUserThread NtTerminateProcess 3572->3573 3573->3571 3707 482092b GetPEB 3708 4820972 3707->3708 3623 401496 3624 401447 3623->3624 3624->3623 3625 4015e6 NtDuplicateObject 3624->3625 3631 40152f 3624->3631 3626 401603 NtCreateSection 3625->3626 3625->3631 3627 401683 NtCreateSection 3626->3627 3628 401629 NtMapViewOfSection 3626->3628 3630 4016af 3627->3630 3627->3631 3628->3627 3629 40164c NtMapViewOfSection 3628->3629 3629->3627 3632 40166a 3629->3632 3630->3631 3633 4016b9 NtMapViewOfSection 3630->3633 3632->3627 3633->3631 3634 4016e0 NtMapViewOfSection 3633->3634 3634->3631 3548 402eb7 3550 402eb8 3548->3550 3549 402f44 3550->3549 3552 401918 3550->3552 3553 401929 3552->3553 3554 40195e Sleep 3553->3554 3555 401979 3554->3555 3557 40198a 3555->3557 3558 401538 3555->3558 3557->3549 3559 401539 3558->3559 3560 4015e6 NtDuplicateObject 3559->3560 3566 401702 3559->3566 3561 401603 NtCreateSection 3560->3561 3560->3566 3562 401683 NtCreateSection 3561->3562 3563 401629 NtMapViewOfSection 3561->3563 3565 4016af 3562->3565 3562->3566 3563->3562 3564 40164c NtMapViewOfSection 3563->3564 3564->3562 3567 40166a 3564->3567 3565->3566 3568 4016b9 NtMapViewOfSection 3565->3568 3566->3557 3567->3562 3568->3566 3569 4016e0 NtMapViewOfSection 3568->3569 3569->3566 3574 2da4da1 3577 2da4db2 3574->3577 3578 2da4dc1 3577->3578 3581 2da5552 3578->3581 3582 2da556d 3581->3582 3583 2da5576 CreateToolhelp32Snapshot 3582->3583 3584 2da5592 Module32First 3582->3584 3583->3582 3583->3584 3585 2da4db1 3584->3585 3586 2da55a1 3584->3586 3588 2da5211 3586->3588 3589 2da523c 3588->3589 3590 2da5285 3589->3590 3591 2da524d VirtualAlloc 3589->3591 3590->3590 3591->3590 3592 482003c 3593 4820049 3592->3593 3605 4820e0f SetErrorMode SetErrorMode 3593->3605 3598 4820265 3599 48202ce VirtualProtect 3598->3599 3601 482030b 3599->3601 3600 4820439 VirtualFree 3604 48204be LoadLibraryA 3600->3604 3601->3600 3603 48208c7 3604->3603 3606 4820223 3605->3606 3607 4820d90 3606->3607 3608 4820dad 3607->3608 3609 4820238 VirtualAlloc 3608->3609 3610 4820dbb GetPEB 3608->3610 3609->3598 3610->3609 3611 4014de 3612 401447 3611->3612 3613 4015e6 NtDuplicateObject 3612->3613 3619 40152f 3612->3619 3614 401603 NtCreateSection 3613->3614 3613->3619 3615 401683 NtCreateSection 3614->3615 3616 401629 NtMapViewOfSection 3614->3616 3618 4016af 3615->3618 3615->3619 3616->3615 3617 40164c NtMapViewOfSection 3616->3617 3617->3615 3620 40166a 3617->3620 3618->3619 3621 4016b9 NtMapViewOfSection 3618->3621 3620->3615 3621->3619 3622 4016e0 NtMapViewOfSection 3621->3622 3622->3619

                                                                Executed Functions

                                                                Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 85 401496-4014a5 86 4014a7 85->86 87 40151b-40152d 85->87 88 4014a9-4014b5 86->88 89 4014cf 86->89 96 4014ba 87->96 97 40152f-401535 87->97 91 401471-401472 88->91 92 4014b7-4014b8 88->92 94 4014d6 89->94 98 401473-401484 91->98 95 401449 92->95 92->96 94->94 99 4014d8 94->99 101 40147b-40148e call 4011b7 95->101 102 40144b 95->102 103 401447-401456 96->103 104 4014bc-4014c3 96->104 98->101 99->87 101->85 107 40144c-401470 102->107 103->107 108 4014c5-4014c8 104->108 109 401539-401567 104->109 107->98 108->89 119 401558-401563 109->119 120 40156a-401590 call 4011b7 109->120 119->120 127 401592 120->127 128 401595-40159a 120->128 127->128 130 4015a0-4015b1 128->130 131 4018b8-4018c0 128->131 135 4018b6-4018c5 130->135 136 4015b7-4015e0 130->136 131->128 138 4018da 135->138 139 4018cb-4018d6 135->139 136->135 144 4015e6-4015fd NtDuplicateObject 136->144 138->139 141 4018dd-401915 call 4011b7 138->141 139->141 144->135 147 401603-401627 NtCreateSection 144->147 149 401683-4016a9 NtCreateSection 147->149 150 401629-40164a NtMapViewOfSection 147->150 149->135 153 4016af-4016b3 149->153 150->149 151 40164c-401668 NtMapViewOfSection 150->151 151->149 155 40166a-401680 151->155 153->135 156 4016b9-4016da NtMapViewOfSection 153->156 155->149 156->135 158 4016e0-4016fc NtMapViewOfSection 156->158 158->135 161 401702 call 401707 158->161
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectView
                                                                • String ID:
                                                                • API String ID: 1652636561-0
                                                                • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 163 401538-401567 169 401558-401563 163->169 170 40156a-401590 call 4011b7 163->170 169->170 177 401592 170->177 178 401595-40159a 170->178 177->178 180 4015a0-4015b1 178->180 181 4018b8-4018c0 178->181 185 4018b6-4018c5 180->185 186 4015b7-4015e0 180->186 181->178 188 4018da 185->188 189 4018cb-4018d6 185->189 186->185 194 4015e6-4015fd NtDuplicateObject 186->194 188->189 191 4018dd-401915 call 4011b7 188->191 189->191 194->185 197 401603-401627 NtCreateSection 194->197 199 401683-4016a9 NtCreateSection 197->199 200 401629-40164a NtMapViewOfSection 197->200 199->185 203 4016af-4016b3 199->203 200->199 201 40164c-401668 NtMapViewOfSection 200->201 201->199 205 40166a-401680 201->205 203->185 206 4016b9-4016da NtMapViewOfSection 203->206 205->199 206->185 208 4016e0-4016fc NtMapViewOfSection 206->208 208->185 211 401702 call 401707 208->211
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 213 4014de-4014ed 214 401563 213->214 215 4014ef 213->215 218 40156a-401590 call 4011b7 214->218 216 401551-401552 215->216 217 4014f1-401502 215->217 216->214 220 401504-401516 217->220 221 40151d-40152d 217->221 236 401592 218->236 237 401595-40159a 218->237 223 40151b-40151c 220->223 226 4014ba 221->226 227 40152f-401535 221->227 223->221 229 401447-401456 226->229 230 4014bc-4014c3 226->230 238 40144c-401470 229->238 233 4014c5-4014c8 230->233 234 401539-401567 230->234 239 4014cf 233->239 234->218 251 401558-401560 234->251 236->237 248 4015a0-4015b1 237->248 249 4018b8-4018c0 237->249 252 401473-401484 238->252 242 4014d6 239->242 242->242 246 4014d8 242->246 246->223 259 4018b6-4018c5 248->259 260 4015b7-4015e0 248->260 249->237 251->214 256 40147b-4014a5 call 4011b7 252->256 256->223 271 4014a7 256->271 264 4018da 259->264 265 4018cb-4018d6 259->265 260->259 272 4015e6-4015fd NtDuplicateObject 260->272 264->265 267 4018dd-401915 call 4011b7 264->267 265->267 271->239 274 4014a9-4014b5 271->274 272->259 276 401603-401627 NtCreateSection 272->276 277 401471-401472 274->277 278 4014b7-4014b8 274->278 280 401683-4016a9 NtCreateSection 276->280 281 401629-40164a NtMapViewOfSection 276->281 277->252 278->226 282 401449 278->282 280->259 286 4016af-4016b3 280->286 281->280 283 40164c-401668 NtMapViewOfSection 281->283 282->256 285 40144b 282->285 283->280 288 40166a-401680 283->288 285->238 286->259 289 4016b9-4016da NtMapViewOfSection 286->289 288->280 289->259 291 4016e0-4016fc NtMapViewOfSection 289->291 291->259 294 401702 call 401707 291->294
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectView
                                                                • String ID:
                                                                • API String ID: 1652636561-0
                                                                • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 296 401543-401544 297 401546-401567 296->297 298 4015af-4015b1 296->298 306 401558-401563 297->306 307 40156a-401590 call 4011b7 297->307 300 4018b6-4018c5 298->300 301 4015b7-4015e0 298->301 304 4018da 300->304 305 4018cb-4018d6 300->305 301->300 316 4015e6-4015fd NtDuplicateObject 301->316 304->305 309 4018dd-401915 call 4011b7 304->309 305->309 306->307 325 401592 307->325 326 401595-40159a 307->326 316->300 320 401603-401627 NtCreateSection 316->320 323 401683-4016a9 NtCreateSection 320->323 324 401629-40164a NtMapViewOfSection 320->324 323->300 329 4016af-4016b3 323->329 324->323 327 40164c-401668 NtMapViewOfSection 324->327 325->326 338 4015a0-4015ad 326->338 339 4018b8-4018c0 326->339 327->323 331 40166a-401680 327->331 329->300 332 4016b9-4016da NtMapViewOfSection 329->332 331->323 332->300 335 4016e0-4016fc NtMapViewOfSection 332->335 335->300 340 401702 call 401707 335->340 338->298 339->326
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 344 401565-401590 call 4011b7 349 401592 344->349 350 401595-40159a 344->350 349->350 352 4015a0-4015b1 350->352 353 4018b8-4018c0 350->353 357 4018b6-4018c5 352->357 358 4015b7-4015e0 352->358 353->350 360 4018da 357->360 361 4018cb-4018d6 357->361 358->357 366 4015e6-4015fd NtDuplicateObject 358->366 360->361 363 4018dd-401915 call 4011b7 360->363 361->363 366->357 369 401603-401627 NtCreateSection 366->369 371 401683-4016a9 NtCreateSection 369->371 372 401629-40164a NtMapViewOfSection 369->372 371->357 375 4016af-4016b3 371->375 372->371 373 40164c-401668 NtMapViewOfSection 372->373 373->371 377 40166a-401680 373->377 375->357 378 4016b9-4016da NtMapViewOfSection 375->378 377->371 378->357 380 4016e0-4016fc NtMapViewOfSection 378->380 380->357 383 401702 call 401707 380->383
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 385 401579-401590 call 4011b7 391 401592 385->391 392 401595-40159a 385->392 391->392 394 4015a0-4015b1 392->394 395 4018b8-4018c0 392->395 399 4018b6-4018c5 394->399 400 4015b7-4015e0 394->400 395->392 402 4018da 399->402 403 4018cb-4018d6 399->403 400->399 408 4015e6-4015fd NtDuplicateObject 400->408 402->403 405 4018dd-401915 call 4011b7 402->405 403->405 408->399 411 401603-401627 NtCreateSection 408->411 413 401683-4016a9 NtCreateSection 411->413 414 401629-40164a NtMapViewOfSection 411->414 413->399 417 4016af-4016b3 413->417 414->413 415 40164c-401668 NtMapViewOfSection 414->415 415->413 419 40166a-401680 415->419 417->399 420 4016b9-4016da NtMapViewOfSection 417->420 419->413 420->399 422 4016e0-4016fc NtMapViewOfSection 420->422 422->399 425 401702 call 401707 422->425
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 427 40157c-401590 call 4011b7 431 401592 427->431 432 401595-40159a 427->432 431->432 434 4015a0-4015b1 432->434 435 4018b8-4018c0 432->435 439 4018b6-4018c5 434->439 440 4015b7-4015e0 434->440 435->432 442 4018da 439->442 443 4018cb-4018d6 439->443 440->439 448 4015e6-4015fd NtDuplicateObject 440->448 442->443 445 4018dd-401915 call 4011b7 442->445 443->445 448->439 451 401603-401627 NtCreateSection 448->451 453 401683-4016a9 NtCreateSection 451->453 454 401629-40164a NtMapViewOfSection 451->454 453->439 457 4016af-4016b3 453->457 454->453 455 40164c-401668 NtMapViewOfSection 454->455 455->453 459 40166a-401680 455->459 457->439 460 4016b9-4016da NtMapViewOfSection 457->460 459->453 460->439 462 4016e0-4016fc NtMapViewOfSection 460->462 462->439 465 401702 call 401707 462->465
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 467 402fe9-40300d 468 403140-403145 467->468 469 403013-40302b 467->469 469->468 470 403031-403042 469->470 471 403044-40304d 470->471 472 403052-403060 471->472 472->472 473 403062-403069 472->473 474 40308b-403092 473->474 475 40306b-40308a 473->475 476 4030b4-4030b7 474->476 477 403094-4030b3 474->477 475->474 478 4030c0 476->478 479 4030b9-4030bc 476->479 477->476 478->471 480 4030c2-4030c7 478->480 479->478 481 4030be 479->481 480->468 482 4030c9-4030cc 480->482 481->480 482->468 483 4030ce-40313d RtlCreateUserThread NtTerminateProcess 482->483 483->468
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: CreateProcessTerminateThreadUser
                                                                • String ID:
                                                                • API String ID: 1921587553-0
                                                                • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                Function 02DA5552 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 484 2da5552-2da556b 485 2da556d-2da556f 484->485 486 2da5571 485->486 487 2da5576-2da5582 CreateToolhelp32Snapshot 485->487 486->487 488 2da5592-2da559f Module32First 487->488 489 2da5584-2da558a 487->489 490 2da55a8-2da55b0 488->490 491 2da55a1-2da55a2 call 2da5211 488->491 489->488 494 2da558c-2da5590 489->494 495 2da55a7 491->495 494->485 494->488 495->490
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02DA557A
                                                                • Module32First.KERNEL32(00000000,00000224), ref: 02DA559A
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D9E000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2d9e000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                • String ID:
                                                                • API String ID: 3833638111-0
                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                • Instruction ID: a918fbb41378456f6ebb6c1868b1bbc9615786a3ca5a795869bd11edb8dae44b
                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                • Instruction Fuzzy Hash: 92F0CD32A00310ABD7202FB8BC8CF6E76EDAF49225F900528F642922C0DB70EC058A60
                                                                Function 0482003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 482003c-4820047 1 4820049 0->1 2 482004c-4820263 call 4820a3f call 4820e0f call 4820d90 VirtualAlloc 0->2 1->2 17 4820265-4820289 call 4820a69 2->17 18 482028b-4820292 2->18 22 48202ce-48203c2 VirtualProtect call 4820cce call 4820ce7 17->22 19 48202a1-48202b0 18->19 21 48202b2-48202cc 19->21 19->22 21->19 29 48203d1-48203e0 22->29 30 48203e2-4820437 call 4820ce7 29->30 31 4820439-48204b8 VirtualFree 29->31 30->29 33 48205f4-48205fe 31->33 34 48204be-48204cd 31->34 36 4820604-482060d 33->36 37 482077f-4820789 33->37 35 48204d3-48204dd 34->35 35->33 39 48204e3-4820505 35->39 36->37 42 4820613-4820637 36->42 40 48207a6-48207b0 37->40 41 482078b-48207a3 37->41 51 4820517-4820520 39->51 52 4820507-4820515 39->52 44 48207b6-48207cb 40->44 45 482086e-48208be LoadLibraryA 40->45 41->40 46 482063e-4820648 42->46 48 48207d2-48207d5 44->48 50 48208c7-48208f9 45->50 46->37 49 482064e-482065a 46->49 53 48207d7-48207e0 48->53 54 4820824-4820833 48->54 49->37 55 4820660-482066a 49->55 56 4820902-482091d 50->56 57 48208fb-4820901 50->57 58 4820526-4820547 51->58 52->58 59 48207e2 53->59 60 48207e4-4820822 53->60 62 4820839-482083c 54->62 61 482067a-4820689 55->61 57->56 63 482054d-4820550 58->63 59->54 60->48 64 4820750-482077a 61->64 65 482068f-48206b2 61->65 62->45 66 482083e-4820847 62->66 68 48205e0-48205ef 63->68 69 4820556-482056b 63->69 64->46 70 48206b4-48206ed 65->70 71 48206ef-48206fc 65->71 72 482084b-482086c 66->72 73 4820849 66->73 68->35 74 482056f-482057a 69->74 75 482056d 69->75 70->71 76 482074b 71->76 77 48206fe-4820748 71->77 72->62 73->45 79 482059b-48205bb 74->79 80 482057c-4820599 74->80 75->68 76->61 77->76 84 48205bd-48205db 79->84 80->84 84->63
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0482024D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4820000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: cess$kernel32.dll
                                                                • API String ID: 4275171209-1230238691
                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                • Instruction ID: ae520b6acdc796ed282428cabec774cde4f4bd6a622a884b2d9b5b383059f3a5
                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                • Instruction Fuzzy Hash: FB527974A01229DFDB64CF58C984BACBBB1BF09304F1485D9E90DAB351DB30AA84DF15
                                                                Function 04820E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 497 4820e0f-4820e24 SetErrorMode * 2 498 4820e26 497->498 499 4820e2b-4820e2c 497->499 498->499
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00000400,?,?,04820223,?,?), ref: 04820E19
                                                                • SetErrorMode.KERNELBASE(00000000,?,?,04820223,?,?), ref: 04820E1E
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4820000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                • Instruction ID: c305c479093041c3bdcac86e1ef893677768c67fdbd7ad2a11b9be042c951924
                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                • Instruction Fuzzy Hash: BFD0123554512877D7402A94DC09BCD7B1CDF05B62F008411FB0DD9080C770958046E5
                                                                Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 592 401918-401943 597 401946-40197b call 4011b7 Sleep call 40143e 592->597 598 40193a-40193f 592->598 606 40198a-4019d3 call 4011b7 597->606 607 40197d-401985 call 401538 597->607 598->597 607->606
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 621 401924-401943 625 401946-40197b call 4011b7 Sleep call 40143e 621->625 626 40193a-40193f 621->626 634 40198a-4019d3 call 4011b7 625->634 635 40197d-401985 call 401538 625->635 626->625 635->634
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                Function 02DA5211 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02DA5262
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D9E000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2d9e000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                • Instruction ID: ef23a2720c5897f589e521a393bfbcf5e449cbb1a1127376ab41c1e57ec6c80e
                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                • Instruction Fuzzy Hash: CE112879A00208EFDB01DF98C985E98BBF5EF08351F0580A4FA489B361D371EA90DF90
                                                                Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2072319535.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

                                                                Non-executed Functions

                                                                Function 0482092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4820000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: .$GetProcAddress.$l
                                                                • API String ID: 0-2784972518
                                                                • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                • Instruction ID: 8187e9d5fc2642250b8ef033f37b768ca7b94207ba16212c6361619c847e4065
                                                                • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
                                                                • Instruction Fuzzy Hash: CF318BB2900229DFEB11CF88C980AADBBF5FF09328F14454AD501E7210D370FA85CBA4
                                                                Function 02DA4E2F Relevance: .1, Instructions: 61COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2073933094.0000000002D9E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02D9E000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_2d9e000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                • Instruction ID: b9911795c310e1d361abfda81c2affa7301df77889d3311b075fb4f8722fea51
                                                                • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                                                                • Instruction Fuzzy Hash: 96115E72340100AFDB54DF55DC91EA773EAEB89224B298065ED08CB355E7B9ED42CB60
                                                                Function 04820D90 Relevance: .0, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000000.00000002.2074010175.0000000004820000.00000040.00001000.00020000.00000000.sdmp, Offset: 04820000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_0_2_4820000_file.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                • Instruction ID: 933ff9f54dff6ff0bbd477003fb5c7ca2ccdbcdd9af991a805a220ef85264ab2
                                                                • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
                                                                • Instruction Fuzzy Hash: B001F777A016148FDF21CF20C904BAA33F5EB87205F154AA4E606D7281E370B8C18B80

                                                                Execution Graph

                                                                Execution Coverage:7.8%
                                                                Dynamic/Decrypted Code Coverage:29.3%
                                                                Signature Coverage:0%
                                                                Total number of Nodes:99
                                                                Total number of Limit Nodes:2
                                                                execution_graph 3693 402e63 3695 402e67 3693->3695 3694 401918 8 API calls 3696 402f44 3694->3696 3695->3694 3695->3696 3735 401543 3740 401546 3735->3740 3736 4015e6 NtDuplicateObject 3737 401603 NtCreateSection 3736->3737 3745 401702 3736->3745 3738 401683 NtCreateSection 3737->3738 3739 401629 NtMapViewOfSection 3737->3739 3742 4016af 3738->3742 3738->3745 3739->3738 3741 40164c NtMapViewOfSection 3739->3741 3740->3736 3740->3745 3741->3738 3743 40166a 3741->3743 3744 4016b9 NtMapViewOfSection 3742->3744 3742->3745 3743->3738 3744->3745 3746 4016e0 NtMapViewOfSection 3744->3746 3746->3745 3795 401924 3796 401929 3795->3796 3797 40195e Sleep 3796->3797 3798 401979 3797->3798 3799 401538 7 API calls 3798->3799 3800 40198a 3798->3800 3799->3800 3670 402fe9 3671 403140 3670->3671 3672 403013 3670->3672 3672->3671 3673 4030ce RtlCreateUserThread NtTerminateProcess 3672->3673 3673->3671 3801 2c6092b GetPEB 3802 2c60972 3801->3802 3630 2e74771 3633 2e74782 3630->3633 3634 2e74791 3633->3634 3637 2e74f22 3634->3637 3642 2e74f3d 3637->3642 3638 2e74f46 CreateToolhelp32Snapshot 3639 2e74f62 Module32First 3638->3639 3638->3642 3640 2e74f71 3639->3640 3641 2e74781 3639->3641 3644 2e74be1 3640->3644 3642->3638 3642->3639 3645 2e74c0c 3644->3645 3646 2e74c1d VirtualAlloc 3645->3646 3647 2e74c55 3645->3647 3646->3647 3713 401496 3714 401447 3713->3714 3714->3713 3715 4015e6 NtDuplicateObject 3714->3715 3723 40152f 3714->3723 3716 401603 NtCreateSection 3715->3716 3715->3723 3717 401683 NtCreateSection 3716->3717 3718 401629 NtMapViewOfSection 3716->3718 3720 4016af 3717->3720 3717->3723 3718->3717 3719 40164c NtMapViewOfSection 3718->3719 3719->3717 3721 40166a 3719->3721 3722 4016b9 NtMapViewOfSection 3720->3722 3720->3723 3721->3717 3722->3723 3724 4016e0 NtMapViewOfSection 3722->3724 3724->3723 3648 402eb7 3649 402eb8 3648->3649 3651 402f44 3649->3651 3652 401918 3649->3652 3653 401929 3652->3653 3654 40195e Sleep 3653->3654 3655 401979 3654->3655 3657 40198a 3655->3657 3658 401538 3655->3658 3657->3651 3659 401539 3658->3659 3660 4015e6 NtDuplicateObject 3659->3660 3664 401702 3659->3664 3661 401603 NtCreateSection 3660->3661 3660->3664 3662 401683 NtCreateSection 3661->3662 3663 401629 NtMapViewOfSection 3661->3663 3662->3664 3666 4016af 3662->3666 3663->3662 3665 40164c NtMapViewOfSection 3663->3665 3664->3657 3665->3662 3669 40166a 3665->3669 3666->3664 3667 4016b9 NtMapViewOfSection 3666->3667 3667->3664 3668 4016e0 NtMapViewOfSection 3667->3668 3668->3664 3669->3662 3674 2c6003c 3675 2c60049 3674->3675 3687 2c60e0f SetErrorMode SetErrorMode 3675->3687 3680 2c60265 3681 2c602ce VirtualProtect 3680->3681 3683 2c6030b 3681->3683 3682 2c60439 VirtualFree 3684 2c604be LoadLibraryA 3682->3684 3683->3682 3686 2c608c7 3684->3686 3688 2c60223 3687->3688 3689 2c60d90 3688->3689 3690 2c60dad 3689->3690 3691 2c60238 VirtualAlloc 3690->3691 3692 2c60dbb GetPEB 3690->3692 3691->3680 3692->3691 3697 4014de 3698 401447 3697->3698 3699 4015e6 NtDuplicateObject 3698->3699 3703 40152f 3698->3703 3700 401603 NtCreateSection 3699->3700 3699->3703 3701 401683 NtCreateSection 3700->3701 3702 401629 NtMapViewOfSection 3700->3702 3701->3703 3705 4016af 3701->3705 3702->3701 3704 40164c NtMapViewOfSection 3702->3704 3704->3701 3708 40166a 3704->3708 3705->3703 3706 4016b9 NtMapViewOfSection 3705->3706 3706->3703 3707 4016e0 NtMapViewOfSection 3706->3707 3707->3703 3708->3701

                                                                Executed Functions

                                                                Function 00401496 Relevance: 10.7, APIs: 7, Instructions: 247nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 85 401496-4014a5 86 4014a7 85->86 87 40151b-40152d 85->87 88 4014a9-4014b5 86->88 89 4014cf 86->89 96 4014ba 87->96 97 40152f-401535 87->97 91 401471-401472 88->91 92 4014b7-4014b8 88->92 94 4014d6 89->94 98 401473-401484 91->98 95 401449 92->95 92->96 94->94 99 4014d8 94->99 101 40147b-40148e call 4011b7 95->101 102 40144b 95->102 103 401447-401456 96->103 104 4014bc-4014c3 96->104 98->101 99->87 101->85 107 40144c-401470 102->107 103->107 108 4014c5-4014c8 104->108 109 401539-401567 104->109 107->98 108->89 119 401558-401563 109->119 120 40156a-401590 call 4011b7 109->120 119->120 127 401592 120->127 128 401595-40159a 120->128 127->128 130 4015a0-4015b1 128->130 131 4018b8-4018c0 128->131 135 4018b6-4018c5 130->135 136 4015b7-4015e0 130->136 131->128 138 4018da 135->138 139 4018cb-4018d6 135->139 136->135 144 4015e6-4015fd NtDuplicateObject 136->144 138->139 141 4018dd-401915 call 4011b7 138->141 139->141 144->135 146 401603-401627 NtCreateSection 144->146 148 401683-4016a9 NtCreateSection 146->148 149 401629-40164a NtMapViewOfSection 146->149 148->135 152 4016af-4016b3 148->152 149->148 151 40164c-401668 NtMapViewOfSection 149->151 151->148 154 40166a-401680 151->154 152->135 155 4016b9-4016da NtMapViewOfSection 152->155 154->148 155->135 157 4016e0-4016fc NtMapViewOfSection 155->157 157->135 160 401702 call 401707 157->160
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectView
                                                                • String ID:
                                                                • API String ID: 1652636561-0
                                                                • Opcode ID: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                • Instruction ID: 8e4940cc2d5d294876689a6a874cb0cc3c399929e81e9dec1e5d288c8cd9e9dd
                                                                • Opcode Fuzzy Hash: 5edb7204c22a8cfb94061bf161a88c3eca98da374ec15d8cd8ba2bf42dcd3747
                                                                • Instruction Fuzzy Hash: F481B375500244BBEB209F91CC44FAB7BB8FF85704F10412AF952BA2F1E7749901CB69
                                                                Function 00401538 Relevance: 10.7, APIs: 7, Instructions: 207nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 163 401538-401567 169 401558-401563 163->169 170 40156a-401590 call 4011b7 163->170 169->170 177 401592 170->177 178 401595-40159a 170->178 177->178 180 4015a0-4015b1 178->180 181 4018b8-4018c0 178->181 185 4018b6-4018c5 180->185 186 4015b7-4015e0 180->186 181->178 188 4018da 185->188 189 4018cb-4018d6 185->189 186->185 194 4015e6-4015fd NtDuplicateObject 186->194 188->189 191 4018dd-401915 call 4011b7 188->191 189->191 194->185 196 401603-401627 NtCreateSection 194->196 198 401683-4016a9 NtCreateSection 196->198 199 401629-40164a NtMapViewOfSection 196->199 198->185 202 4016af-4016b3 198->202 199->198 201 40164c-401668 NtMapViewOfSection 199->201 201->198 204 40166a-401680 201->204 202->185 205 4016b9-4016da NtMapViewOfSection 202->205 204->198 205->185 207 4016e0-4016fc NtMapViewOfSection 205->207 207->185 210 401702 call 401707 207->210
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                • Instruction ID: 71a4d0092025beca94809e07d65936591d52f1bb8effc294688e3fcd05e54c36
                                                                • Opcode Fuzzy Hash: 4af5c640631db37ac51d1c1afd1ab74928840835cbc445bb96c3204467379d38
                                                                • Instruction Fuzzy Hash: E0615171900204FBEB209F95CC89FAF7BB8FF85700F10412AF912BA2E5D6759905DB65
                                                                Function 004014DE Relevance: 10.7, APIs: 7, Instructions: 204nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 213 4014de-4014ed 214 401563 213->214 215 4014ef 213->215 218 40156a-401590 call 4011b7 214->218 216 401551-401552 215->216 217 4014f1-401502 215->217 216->214 219 401504-401516 217->219 220 40151d-40152d 217->220 235 401592 218->235 236 401595-40159a 218->236 223 40151b-40151c 219->223 225 4014ba 220->225 226 40152f-401535 220->226 223->220 229 401447-401456 225->229 230 4014bc-4014c3 225->230 238 40144c-401470 229->238 233 4014c5-4014c8 230->233 234 401539-401567 230->234 239 4014cf 233->239 234->218 251 401558-401560 234->251 235->236 248 4015a0-4015b1 236->248 249 4018b8-4018c0 236->249 252 401473-401484 238->252 242 4014d6 239->242 242->242 246 4014d8 242->246 246->223 259 4018b6-4018c5 248->259 260 4015b7-4015e0 248->260 249->236 251->214 256 40147b-4014a5 call 4011b7 252->256 256->223 270 4014a7 256->270 263 4018da 259->263 264 4018cb-4018d6 259->264 260->259 272 4015e6-4015fd NtDuplicateObject 260->272 263->264 267 4018dd-401915 call 4011b7 263->267 264->267 270->239 273 4014a9-4014b5 270->273 272->259 275 401603-401627 NtCreateSection 272->275 277 401471-401472 273->277 278 4014b7-4014b8 273->278 279 401683-4016a9 NtCreateSection 275->279 280 401629-40164a NtMapViewOfSection 275->280 277->252 278->225 282 401449 278->282 279->259 284 4016af-4016b3 279->284 280->279 283 40164c-401668 NtMapViewOfSection 280->283 282->256 285 40144b 282->285 283->279 287 40166a-401680 283->287 284->259 288 4016b9-4016da NtMapViewOfSection 284->288 285->238 287->279 288->259 290 4016e0-4016fc NtMapViewOfSection 288->290 290->259 293 401702 call 401707 290->293
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectView
                                                                • String ID:
                                                                • API String ID: 1652636561-0
                                                                • Opcode ID: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                • Instruction ID: 6a824664258ffec6fdf95c516407446232c8a84219ad61b9fd4b8efeb52f3576
                                                                • Opcode Fuzzy Hash: c3f6308678fe624b1287adcb7156a2cf5c07ee8b7810a15753646c5694e98bc6
                                                                • Instruction Fuzzy Hash: 9B615C75900245BFEB219F91CC88FEBBBB8FF85710F10016AF951BA2A5E7749901CB24
                                                                Function 00401543 Relevance: 10.7, APIs: 7, Instructions: 173nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 296 401543-401544 297 401546-401567 296->297 298 4015af-4015b1 296->298 306 401558-401563 297->306 307 40156a-401590 call 4011b7 297->307 300 4018b6-4018c5 298->300 301 4015b7-4015e0 298->301 304 4018da 300->304 305 4018cb-4018d6 300->305 301->300 315 4015e6-4015fd NtDuplicateObject 301->315 304->305 309 4018dd-401915 call 4011b7 304->309 305->309 306->307 326 401592 307->326 327 401595-40159a 307->327 315->300 318 401603-401627 NtCreateSection 315->318 321 401683-4016a9 NtCreateSection 318->321 322 401629-40164a NtMapViewOfSection 318->322 321->300 328 4016af-4016b3 321->328 322->321 325 40164c-401668 NtMapViewOfSection 322->325 325->321 330 40166a-401680 325->330 326->327 337 4015a0-4015ad 327->337 338 4018b8-4018c0 327->338 328->300 331 4016b9-4016da NtMapViewOfSection 328->331 330->321 331->300 334 4016e0-4016fc NtMapViewOfSection 331->334 334->300 339 401702 call 401707 334->339 337->298 338->327
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                • Instruction ID: 1fc6fb52bb36dddf8f971a96ecfe927bdbae9887f6286775c14151e9c1d92244
                                                                • Opcode Fuzzy Hash: f4faf4f0efc4cc5c307795d20c298965336779ff7452863f8b2b81be2522acaa
                                                                • Instruction Fuzzy Hash: 13512B71900245BBEB209F91CC88FAF7BB8EF85B00F14416AF912BA2E5D6749945CB64
                                                                Function 00401565 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 344 401565-401590 call 4011b7 349 401592 344->349 350 401595-40159a 344->350 349->350 352 4015a0-4015b1 350->352 353 4018b8-4018c0 350->353 357 4018b6-4018c5 352->357 358 4015b7-4015e0 352->358 353->350 360 4018da 357->360 361 4018cb-4018d6 357->361 358->357 366 4015e6-4015fd NtDuplicateObject 358->366 360->361 363 4018dd-401915 call 4011b7 360->363 361->363 366->357 368 401603-401627 NtCreateSection 366->368 370 401683-4016a9 NtCreateSection 368->370 371 401629-40164a NtMapViewOfSection 368->371 370->357 374 4016af-4016b3 370->374 371->370 373 40164c-401668 NtMapViewOfSection 371->373 373->370 376 40166a-401680 373->376 374->357 377 4016b9-4016da NtMapViewOfSection 374->377 376->370 377->357 379 4016e0-4016fc NtMapViewOfSection 377->379 379->357 382 401702 call 401707 379->382
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                • Instruction ID: d88667ffe02cbbb2798d41d5ad0cf6527765788d972b82ac88077c7d238bff09
                                                                • Opcode Fuzzy Hash: 40d7219ce39e026dd98d18ec02294656054e4da488103e740ba1602fb3a5db7c
                                                                • Instruction Fuzzy Hash: 54511A71900205BFEF209F91CC89FAFBBB8FF85B10F104259F911AA2A5D7759941CB64
                                                                Function 00401579 Relevance: 10.7, APIs: 7, Instructions: 163nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 385 401579-401590 call 4011b7 391 401592 385->391 392 401595-40159a 385->392 391->392 394 4015a0-4015b1 392->394 395 4018b8-4018c0 392->395 399 4018b6-4018c5 394->399 400 4015b7-4015e0 394->400 395->392 402 4018da 399->402 403 4018cb-4018d6 399->403 400->399 408 4015e6-4015fd NtDuplicateObject 400->408 402->403 405 4018dd-401915 call 4011b7 402->405 403->405 408->399 410 401603-401627 NtCreateSection 408->410 412 401683-4016a9 NtCreateSection 410->412 413 401629-40164a NtMapViewOfSection 410->413 412->399 416 4016af-4016b3 412->416 413->412 415 40164c-401668 NtMapViewOfSection 413->415 415->412 418 40166a-401680 415->418 416->399 419 4016b9-4016da NtMapViewOfSection 416->419 418->412 419->399 421 4016e0-4016fc NtMapViewOfSection 419->421 421->399 424 401702 call 401707 421->424
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                • Instruction ID: 7169477154cf1621f4f222e223ad54e678f31395e99d0ffd613e12cb64d905d3
                                                                • Opcode Fuzzy Hash: 44bf211d5ecd49b3cfb3996dc98baa0f9fc545abe5e070ef87effc0df1f686f8
                                                                • Instruction Fuzzy Hash: 2B511A75900245BBEF209F91CC88FEF7BB8FF85B10F104119F911BA2A5D6759941CB64
                                                                Function 0040157C Relevance: 10.7, APIs: 7, Instructions: 160nativeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 427 40157c-401590 call 4011b7 431 401592 427->431 432 401595-40159a 427->432 431->432 434 4015a0-4015b1 432->434 435 4018b8-4018c0 432->435 439 4018b6-4018c5 434->439 440 4015b7-4015e0 434->440 435->432 442 4018da 439->442 443 4018cb-4018d6 439->443 440->439 448 4015e6-4015fd NtDuplicateObject 440->448 442->443 445 4018dd-401915 call 4011b7 442->445 443->445 448->439 450 401603-401627 NtCreateSection 448->450 452 401683-4016a9 NtCreateSection 450->452 453 401629-40164a NtMapViewOfSection 450->453 452->439 456 4016af-4016b3 452->456 453->452 455 40164c-401668 NtMapViewOfSection 453->455 455->452 458 40166a-401680 455->458 456->439 459 4016b9-4016da NtMapViewOfSection 456->459 458->452 459->439 461 4016e0-4016fc NtMapViewOfSection 459->461 461->439 464 401702 call 401707 461->464
                                                                APIs
                                                                • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401663
                                                                • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016A4
                                                                • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016D5
                                                                • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 004016F7
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$View$Create$DuplicateObject
                                                                • String ID:
                                                                • API String ID: 1546783058-0
                                                                • Opcode ID: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                • Instruction ID: 14f4b29c405daff92d21e2b3eea283823ae405efc36948ac0d92101f557811aa
                                                                • Opcode Fuzzy Hash: c4110b1088d5ef41785dfe7ea8eaa09ab46741a105747cbb29c974859abd6495
                                                                • Instruction Fuzzy Hash: DE51F9B5900245BBEF209F91CC88FEFBBB8FF85B10F104259F911AA2A5D6709944CB64
                                                                Function 00402FE9 Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 467 402fe9-40300d 468 403140-403145 467->468 469 403013-40302b 467->469 469->468 470 403031-403042 469->470 471 403044-40304d 470->471 472 403052-403060 471->472 472->472 473 403062-403069 472->473 474 40308b-403092 473->474 475 40306b-40308a 473->475 476 4030b4-4030b7 474->476 477 403094-4030b3 474->477 475->474 478 4030c0 476->478 479 4030b9-4030bc 476->479 477->476 478->471 481 4030c2-4030c7 478->481 479->478 480 4030be 479->480 480->481 481->468 482 4030c9-4030cc 481->482 482->468 483 4030ce-40313d RtlCreateUserThread NtTerminateProcess 482->483 483->468
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: CreateProcessTerminateThreadUser
                                                                • String ID:
                                                                • API String ID: 1921587553-0
                                                                • Opcode ID: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                • Instruction ID: 3e1675bac70c022a4e457ffe6b5fa54937b73e0116388ba90aec32851b4d9964
                                                                • Opcode Fuzzy Hash: 8dd8c1b6c2a2e81b31e5df05537a0a765b57e58f23bcff5050bac5d1a8738f05
                                                                • Instruction Fuzzy Hash: A1412431228E088FD768EF5CA885762B7D5F798311F6643AAE809D7389EA34DC1183C5
                                                                Function 02C6003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 2c6003c-2c60047 1 2c6004c-2c60263 call 2c60a3f call 2c60e0f call 2c60d90 VirtualAlloc 0->1 2 2c60049 0->2 17 2c60265-2c60289 call 2c60a69 1->17 18 2c6028b-2c60292 1->18 2->1 22 2c602ce-2c603c2 VirtualProtect call 2c60cce call 2c60ce7 17->22 19 2c602a1-2c602b0 18->19 21 2c602b2-2c602cc 19->21 19->22 21->19 29 2c603d1-2c603e0 22->29 30 2c603e2-2c60437 call 2c60ce7 29->30 31 2c60439-2c604b8 VirtualFree 29->31 30->29 33 2c605f4-2c605fe 31->33 34 2c604be-2c604cd 31->34 36 2c60604-2c6060d 33->36 37 2c6077f-2c60789 33->37 35 2c604d3-2c604dd 34->35 35->33 39 2c604e3-2c60505 35->39 36->37 42 2c60613-2c60637 36->42 40 2c607a6-2c607b0 37->40 41 2c6078b-2c607a3 37->41 51 2c60517-2c60520 39->51 52 2c60507-2c60515 39->52 44 2c607b6-2c607cb 40->44 45 2c6086e-2c608be LoadLibraryA 40->45 41->40 46 2c6063e-2c60648 42->46 48 2c607d2-2c607d5 44->48 50 2c608c7-2c608f9 45->50 46->37 49 2c6064e-2c6065a 46->49 53 2c607d7-2c607e0 48->53 54 2c60824-2c60833 48->54 49->37 55 2c60660-2c6066a 49->55 56 2c60902-2c6091d 50->56 57 2c608fb-2c60901 50->57 58 2c60526-2c60547 51->58 52->58 59 2c607e4-2c60822 53->59 60 2c607e2 53->60 62 2c60839-2c6083c 54->62 61 2c6067a-2c60689 55->61 57->56 63 2c6054d-2c60550 58->63 59->48 60->54 64 2c60750-2c6077a 61->64 65 2c6068f-2c606b2 61->65 62->45 66 2c6083e-2c60847 62->66 68 2c60556-2c6056b 63->68 69 2c605e0-2c605ef 63->69 64->46 70 2c606b4-2c606ed 65->70 71 2c606ef-2c606fc 65->71 72 2c6084b-2c6086c 66->72 73 2c60849 66->73 74 2c6056f-2c6057a 68->74 75 2c6056d 68->75 69->35 70->71 76 2c606fe-2c60748 71->76 77 2c6074b 71->77 72->62 73->45 79 2c6057c-2c60599 74->79 80 2c6059b-2c605bb 74->80 75->69 76->77 77->61 84 2c605bd-2c605db 79->84 80->84 84->63
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 02C6024D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2c60000_tvgrbbh.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID: cess$kernel32.dll
                                                                • API String ID: 4275171209-1230238691
                                                                • Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                • Instruction ID: 3084b9716a3f2086ec10528f3af64fba5d994fc1546ad723f42e00585b1e0fb9
                                                                • Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
                                                                • Instruction Fuzzy Hash: 7B526974A01229DFDB64CF68C985BACBBB1BF09304F1480D9E94DAB351DB30AA85DF14
                                                                Function 02E74F22 Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 484 2e74f22-2e74f3b 485 2e74f3d-2e74f3f 484->485 486 2e74f46-2e74f52 CreateToolhelp32Snapshot 485->486 487 2e74f41 485->487 488 2e74f54-2e74f5a 486->488 489 2e74f62-2e74f6f Module32First 486->489 487->486 488->489 494 2e74f5c-2e74f60 488->494 490 2e74f71-2e74f72 call 2e74be1 489->490 491 2e74f78-2e74f80 489->491 495 2e74f77 490->495 494->485 494->489 495->491
                                                                APIs
                                                                • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02E74F4A
                                                                • Module32First.KERNEL32(00000000,00000224), ref: 02E74F6A
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2309055682.0000000002E6E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E6E000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2e6e000_tvgrbbh.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CreateFirstModule32SnapshotToolhelp32
                                                                • String ID:
                                                                • API String ID: 3833638111-0
                                                                • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                • Instruction ID: dab4c6922f311c240b6aad75d4ba2606e035a2cfc7936fd20b477b2c7d38f334
                                                                • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
                                                                • Instruction Fuzzy Hash: 02F02B355407106FD7303BFA9C8CB6E76FCAF88329F106129F642D10C0CB70E8054A61
                                                                Function 02C60E0F Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 497 2c60e0f-2c60e24 SetErrorMode * 2 498 2c60e26 497->498 499 2c60e2b-2c60e2c 497->499 498->499
                                                                APIs
                                                                • SetErrorMode.KERNELBASE(00000400,?,?,02C60223,?,?), ref: 02C60E19
                                                                • SetErrorMode.KERNELBASE(00000000,?,?,02C60223,?,?), ref: 02C60E1E
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2308849258.0000000002C60000.00000040.00001000.00020000.00000000.sdmp, Offset: 02C60000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2c60000_tvgrbbh.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ErrorMode
                                                                • String ID:
                                                                • API String ID: 2340568224-0
                                                                • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                • Instruction ID: a52e848336db6db71d64a54ad4a59583342d8f175e1724d03ed75c9ac82eaec5
                                                                • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
                                                                • Instruction Fuzzy Hash: BFD0123154512877D7002AD4DC0DBDD7B1CDF05B66F008011FB0DE9080C770964046E5
                                                                Function 00401918 Relevance: 1.3, APIs: 1, Instructions: 57sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 592 401918-401943 597 401946-40197b call 4011b7 Sleep call 40143e 592->597 598 40193a-40193f 592->598 606 40198a-4019d3 call 4011b7 597->606 607 40197d-401985 call 401538 597->607 598->597 607->606
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                • Instruction ID: 41df8370e0b5f9a47a14a91e784646d83bdfa422f97ac69dcfec837627d5bcb0
                                                                • Opcode Fuzzy Hash: be810bd81fc1513bf14dac74237aa616a3cfbc48422f9378a192f31e1e69cca3
                                                                • Instruction Fuzzy Hash: 6D018CF520C148E7EB016A948DB1EBA36299B45324F300233B647B91F4C57C8A03E76F
                                                                Function 00401924 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 621 401924-401943 625 401946-40197b call 4011b7 Sleep call 40143e 621->625 626 40193a-40193f 621->626 634 40198a-4019d3 call 4011b7 625->634 635 40197d-401985 call 401538 625->635 626->625 635->634
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                • Instruction ID: 34fc3aff5e218d4630d956a4f9c4c41b7245144a44faa4fd8074b33eba8f9d72
                                                                • Opcode Fuzzy Hash: 3ad2d4b3403b833ed421c634174be831538fe621ff724946387ec8f91c54f5fa
                                                                • Instruction Fuzzy Hash: 43017CF5208145E7EB015A948DB0EBA26299B45314F300237B617BA1F4C57D8602E76F
                                                                Function 02E74BE1 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02E74C32
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2309055682.0000000002E6E000.00000040.00000020.00020000.00000000.sdmp, Offset: 02E6E000, based on PE: false
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_2e6e000_tvgrbbh.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                • Instruction ID: a474ff6aedbe676e65d0c2a6b990f06b860929d274e15f1c0a17648955547428
                                                                • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
                                                                • Instruction Fuzzy Hash: 61112B79A40208EFDB01DF98C985E99BBF5AF08350F05C094F9489B361D371EA50DF90
                                                                Function 00401941 Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                • Instruction ID: 53d82b158b021bc4b6cde56962adc0b8c8d23177238c0d6ee964112a53f005ae
                                                                • Opcode Fuzzy Hash: 6acc595331c6a8be6e6657ef398eef7c869974a8ecae4d1fde63dfd35a725e44
                                                                • Instruction Fuzzy Hash: 38F0AFB6308249F7DB01AA908DB1EBA36299B54315F300633B617B91F5C57C8A12E76F
                                                                Function 00401954 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                • Instruction ID: f7568a5a22988f4b084f7ac8228f9b89e575eda69d31bfffabc36cd9cbe45c64
                                                                • Opcode Fuzzy Hash: 0dfbee2e4a1c62836b2bd3ba6284fddb5b43d5507a7098400a51ac80bc720613
                                                                • Instruction Fuzzy Hash: BDF0C2B6208144F7DB019AA18DB1FBA36299B44314F300233BA17B90F5C67C8612E76F
                                                                Function 0040194C Relevance: 1.3, APIs: 1, Instructions: 42sleepCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Sleep.KERNELBASE(00001388), ref: 00401966
                                                                  • Part of subcall function 00401538: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 004015F5
                                                                  • Part of subcall function 00401538: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401622
                                                                  • Part of subcall function 00401538: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401645
                                                                Memory Dump Source
                                                                • Source File: 00000004.00000002.2307707220.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_4_2_400000_tvgrbbh.jbxd
                                                                Similarity
                                                                • API ID: Section$CreateDuplicateObjectSleepView
                                                                • String ID:
                                                                • API String ID: 1885482327-0
                                                                • Opcode ID: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                • Instruction ID: 9d6088553fbd849a34ffa1589a5f9bffd683413c7e042594889390f4c4f3f426
                                                                • Opcode Fuzzy Hash: f575feb9a37452ed4573e207967fb92b714552aa85f9b6ebf0a13cec3e485039
                                                                • Instruction Fuzzy Hash: 08F0C2B2208144F7DB019A958DA0FBA36299B44314F300633B617B91F5C57C8A02E72F

                                                                Execution Graph

                                                                Execution Coverage:18.2%
                                                                Dynamic/Decrypted Code Coverage:0%
                                                                Signature Coverage:19.5%
                                                                Total number of Nodes:1453
                                                                Total number of Limit Nodes:32
                                                                execution_graph 4021 401ec5 4022 402c17 17 API calls 4021->4022 4023 401ecb 4022->4023 4024 402c17 17 API calls 4023->4024 4025 401ed7 4024->4025 4026 401ee3 ShowWindow 4025->4026 4027 401eee EnableWindow 4025->4027 4028 402ac5 4026->4028 4027->4028 3366 401746 3367 402c39 17 API calls 3366->3367 3368 40174d 3367->3368 3372 405f4a 3368->3372 3370 401754 3371 405f4a 2 API calls 3370->3371 3371->3370 3373 405f55 GetTickCount GetTempFileNameA 3372->3373 3374 405f82 3373->3374 3375 405f86 3373->3375 3374->3373 3374->3375 3375->3370 4029 401947 4030 402c39 17 API calls 4029->4030 4031 40194e lstrlenA 4030->4031 4032 402628 4031->4032 4036 401fcb 4037 402c39 17 API calls 4036->4037 4038 401fd2 4037->4038 4039 4066ff 2 API calls 4038->4039 4040 401fd8 4039->4040 4042 401fea 4040->4042 4043 4062e6 wsprintfA 4040->4043 4043->4042 3385 4034cc SetErrorMode GetVersionExA 3386 40351e GetVersionExA 3385->3386 3388 40355d 3385->3388 3387 40353a 3386->3387 3386->3388 3387->3388 3389 4035e1 3388->3389 3390 406794 5 API calls 3388->3390 3477 406726 GetSystemDirectoryA 3389->3477 3390->3389 3392 4035f7 lstrlenA 3392->3389 3393 403607 3392->3393 3480 406794 GetModuleHandleA 3393->3480 3396 406794 5 API calls 3397 403615 3396->3397 3398 406794 5 API calls 3397->3398 3399 403621 #17 OleInitialize SHGetFileInfoA 3398->3399 3486 406388 lstrcpynA 3399->3486 3402 40366f GetCommandLineA 3487 406388 lstrcpynA 3402->3487 3404 403681 3405 405d45 CharNextA 3404->3405 3406 4036a8 CharNextA 3405->3406 3412 4036b7 3406->3412 3407 40377d 3408 403791 GetTempPathA 3407->3408 3488 40349b 3408->3488 3410 4037a9 3413 403803 DeleteFileA 3410->3413 3414 4037ad GetWindowsDirectoryA lstrcatA 3410->3414 3411 405d45 CharNextA 3411->3412 3412->3407 3412->3411 3418 40377f 3412->3418 3498 402f5c GetTickCount GetModuleFileNameA 3413->3498 3415 40349b 12 API calls 3414->3415 3417 4037c9 3415->3417 3417->3413 3420 4037cd GetTempPathA lstrcatA SetEnvironmentVariableA SetEnvironmentVariableA 3417->3420 3585 406388 lstrcpynA 3418->3585 3419 403816 3421 4038ae ExitProcess OleUninitialize 3419->3421 3424 40389b 3419->3424 3431 405d45 CharNextA 3419->3431 3423 40349b 12 API calls 3420->3423 3425 4038c5 3421->3425 3426 4039e8 3421->3426 3429 4037fb 3423->3429 3528 403b6e 3424->3528 3602 405a9e 3425->3602 3427 4039f0 GetCurrentProcess OpenProcessToken 3426->3427 3428 403a66 ExitProcess 3426->3428 3433 403a36 3427->3433 3434 403a07 LookupPrivilegeValueA AdjustTokenPrivileges 3427->3434 3429->3413 3429->3421 3436 403830 3431->3436 3439 406794 5 API calls 3433->3439 3434->3433 3440 403875 3436->3440 3441 4038da 3436->3441 3442 403a3d 3439->3442 3586 405e08 3440->3586 3606 405a09 3441->3606 3445 403a52 ExitWindowsEx 3442->3445 3448 403a5f 3442->3448 3445->3428 3445->3448 3626 40140b 3448->3626 3449 4038f0 lstrcatA 3450 4038fb lstrcatA lstrcmpiA 3449->3450 3450->3421 3452 403917 3450->3452 3454 403923 3452->3454 3455 40391c 3452->3455 3614 4059ec CreateDirectoryA 3454->3614 3609 40596f CreateDirectoryA 3455->3609 3456 403890 3601 406388 lstrcpynA 3456->3601 3461 403928 SetCurrentDirectoryA 3462 403943 3461->3462 3463 403938 3461->3463 3618 406388 lstrcpynA 3462->3618 3617 406388 lstrcpynA 3463->3617 3466 40641b 17 API calls 3467 403985 DeleteFileA 3466->3467 3468 403993 CopyFileA 3467->3468 3474 403950 3467->3474 3468->3474 3469 4039dc 3471 406161 36 API calls 3469->3471 3472 4039e3 3471->3472 3472->3421 3473 40641b 17 API calls 3473->3474 3474->3466 3474->3469 3474->3473 3476 4039c7 CloseHandle 3474->3476 3619 406161 MoveFileExA 3474->3619 3623 405a21 CreateProcessA 3474->3623 3476->3474 3478 406748 wsprintfA LoadLibraryExA 3477->3478 3478->3392 3481 4067b0 3480->3481 3482 4067ba GetProcAddress 3480->3482 3483 406726 3 API calls 3481->3483 3484 40360e 3482->3484 3485 4067b6 3483->3485 3484->3396 3485->3482 3485->3484 3486->3402 3487->3404 3489 406666 5 API calls 3488->3489 3491 4034a7 3489->3491 3490 4034b1 3490->3410 3491->3490 3629 405d1a lstrlenA CharPrevA 3491->3629 3494 4059ec 2 API calls 3495 4034bf 3494->3495 3496 405f4a 2 API calls 3495->3496 3497 4034ca 3496->3497 3497->3410 3632 405f1b GetFileAttributesA CreateFileA 3498->3632 3500 402f9f 3527 402fac 3500->3527 3633 406388 lstrcpynA 3500->3633 3502 402fc2 3634 405d61 lstrlenA 3502->3634 3506 402fd3 GetFileSize 3507 4030cd 3506->3507 3526 402fea 3506->3526 3639 402ebd 3507->3639 3511 403112 GlobalAlloc 3513 403129 3511->3513 3512 40316a 3516 402ebd 32 API calls 3512->3516 3518 405f4a 2 API calls 3513->3518 3515 4030f3 3517 40346e ReadFile 3515->3517 3516->3527 3519 4030fe 3517->3519 3521 40313a CreateFileA 3518->3521 3519->3511 3519->3527 3520 402ebd 32 API calls 3520->3526 3522 403174 3521->3522 3521->3527 3654 403484 SetFilePointer 3522->3654 3524 403182 3655 4031fd 3524->3655 3526->3507 3526->3512 3526->3520 3526->3527 3670 40346e 3526->3670 3527->3419 3529 406794 5 API calls 3528->3529 3530 403b82 3529->3530 3531 403b88 3530->3531 3532 403b9a 3530->3532 3714 4062e6 wsprintfA 3531->3714 3533 40626f 3 API calls 3532->3533 3534 403bc5 3533->3534 3535 403be3 lstrcatA 3534->3535 3538 40626f 3 API calls 3534->3538 3537 403b98 3535->3537 3706 403e33 3537->3706 3538->3535 3541 405e08 18 API calls 3542 403c15 3541->3542 3543 403c9e 3542->3543 3545 40626f 3 API calls 3542->3545 3544 405e08 18 API calls 3543->3544 3547 403ca4 3544->3547 3548 403c41 3545->3548 3546 403cb4 LoadImageA 3550 403d5a 3546->3550 3551 403cdb RegisterClassA 3546->3551 3547->3546 3549 40641b 17 API calls 3547->3549 3548->3543 3552 403c5d lstrlenA 3548->3552 3555 405d45 CharNextA 3548->3555 3549->3546 3554 40140b 2 API calls 3550->3554 3553 403d11 SystemParametersInfoA CreateWindowExA 3551->3553 3584 4038ab 3551->3584 3556 403c91 3552->3556 3557 403c6b lstrcmpiA 3552->3557 3553->3550 3558 403d60 3554->3558 3559 403c5b 3555->3559 3561 405d1a 3 API calls 3556->3561 3557->3556 3560 403c7b GetFileAttributesA 3557->3560 3563 403e33 18 API calls 3558->3563 3558->3584 3559->3552 3562 403c87 3560->3562 3564 403c97 3561->3564 3562->3556 3565 405d61 2 API calls 3562->3565 3566 403d71 3563->3566 3715 406388 lstrcpynA 3564->3715 3565->3556 3568 403e00 3566->3568 3569 403d7d ShowWindow 3566->3569 3716 40557b OleInitialize 3568->3716 3571 406726 3 API calls 3569->3571 3573 403d95 3571->3573 3572 403e06 3575 403e22 3572->3575 3576 403e0a 3572->3576 3574 403da3 GetClassInfoA 3573->3574 3577 406726 3 API calls 3573->3577 3579 403db7 GetClassInfoA RegisterClassA 3574->3579 3580 403dcd DialogBoxParamA 3574->3580 3578 40140b 2 API calls 3575->3578 3582 40140b 2 API calls 3576->3582 3576->3584 3577->3574 3578->3584 3579->3580 3581 40140b 2 API calls 3580->3581 3583 403df5 3581->3583 3582->3584 3583->3584 3584->3421 3585->3408 3734 406388 lstrcpynA 3586->3734 3588 405e19 3735 405db3 CharNextA CharNextA 3588->3735 3591 403881 3591->3421 3600 406388 lstrcpynA 3591->3600 3592 406666 5 API calls 3598 405e2f 3592->3598 3593 405e5a lstrlenA 3594 405e65 3593->3594 3593->3598 3595 405d1a 3 API calls 3594->3595 3597 405e6a GetFileAttributesA 3595->3597 3597->3591 3598->3591 3598->3593 3599 405d61 2 API calls 3598->3599 3741 4066ff FindFirstFileA 3598->3741 3599->3593 3600->3456 3601->3424 3603 405ab3 3602->3603 3604 4038d2 ExitProcess 3603->3604 3605 405ac7 MessageBoxIndirectA 3603->3605 3605->3604 3607 406794 5 API calls 3606->3607 3608 4038df lstrcatA 3607->3608 3608->3449 3608->3450 3610 4059c0 GetLastError 3609->3610 3611 403921 3609->3611 3610->3611 3612 4059cf SetFileSecurityA 3610->3612 3611->3461 3612->3611 3613 4059e5 GetLastError 3612->3613 3613->3611 3615 405a00 GetLastError 3614->3615 3616 4059fc 3614->3616 3615->3616 3616->3461 3617->3462 3618->3474 3620 406182 3619->3620 3621 406175 3619->3621 3620->3474 3744 405ff1 3621->3744 3624 405a60 3623->3624 3625 405a54 CloseHandle 3623->3625 3624->3474 3625->3624 3627 401389 2 API calls 3626->3627 3628 401420 3627->3628 3628->3428 3630 405d34 lstrcatA 3629->3630 3631 4034b9 3629->3631 3630->3631 3631->3494 3632->3500 3633->3502 3635 405d6e 3634->3635 3636 405d73 CharPrevA 3635->3636 3637 402fc8 3635->3637 3636->3635 3636->3637 3638 406388 lstrcpynA 3637->3638 3638->3506 3640 402ee3 3639->3640 3641 402ecb 3639->3641 3644 402ef3 GetTickCount 3640->3644 3645 402eeb 3640->3645 3642 402ed4 DestroyWindow 3641->3642 3643 402edb 3641->3643 3642->3643 3643->3511 3643->3527 3673 403484 SetFilePointer 3643->3673 3644->3643 3647 402f01 3644->3647 3674 4067d0 3645->3674 3648 402f36 CreateDialogParamA ShowWindow 3647->3648 3649 402f09 3647->3649 3648->3643 3649->3643 3678 402ea1 3649->3678 3651 402f17 wsprintfA 3652 4054a9 24 API calls 3651->3652 3653 402f34 3652->3653 3653->3643 3654->3524 3656 403228 3655->3656 3657 40320c SetFilePointer 3655->3657 3681 403305 GetTickCount 3656->3681 3657->3656 3662 403305 42 API calls 3663 40325f 3662->3663 3664 4032c5 3663->3664 3665 4032cb ReadFile 3663->3665 3666 40326e 3663->3666 3664->3527 3665->3664 3666->3664 3668 405f93 ReadFile 3666->3668 3696 405fc2 WriteFile 3666->3696 3668->3666 3671 405f93 ReadFile 3670->3671 3672 403481 3671->3672 3672->3526 3673->3515 3675 4067ed PeekMessageA 3674->3675 3676 4067e3 DispatchMessageA 3675->3676 3677 4067fd 3675->3677 3676->3675 3677->3643 3679 402eb0 3678->3679 3680 402eb2 MulDiv 3678->3680 3679->3680 3680->3651 3682 403333 3681->3682 3683 40345d 3681->3683 3698 403484 SetFilePointer 3682->3698 3684 402ebd 32 API calls 3683->3684 3690 40322f 3684->3690 3686 40333e SetFilePointer 3691 403363 3686->3691 3687 40346e ReadFile 3687->3691 3689 402ebd 32 API calls 3689->3691 3690->3664 3694 405f93 ReadFile 3690->3694 3691->3687 3691->3689 3691->3690 3692 405fc2 WriteFile 3691->3692 3693 40343e SetFilePointer 3691->3693 3699 4068d9 3691->3699 3692->3691 3693->3683 3695 403248 3694->3695 3695->3662 3695->3664 3697 405fe0 3696->3697 3697->3666 3698->3686 3700 4068fe 3699->3700 3705 406906 3699->3705 3700->3691 3701 406996 GlobalAlloc 3701->3700 3701->3705 3702 40698d GlobalFree 3702->3701 3703 406a04 GlobalFree 3704 406a0d GlobalAlloc 3703->3704 3704->3700 3704->3705 3705->3700 3705->3701 3705->3702 3705->3703 3705->3704 3707 403e47 3706->3707 3723 4062e6 wsprintfA 3707->3723 3709 403eb8 3724 403eec 3709->3724 3711 403bf3 3711->3541 3712 403ebd 3712->3711 3713 40641b 17 API calls 3712->3713 3713->3712 3714->3537 3715->3543 3727 404451 3716->3727 3718 40559e 3722 4055c5 3718->3722 3730 401389 3718->3730 3719 404451 SendMessageA 3720 4055d7 OleUninitialize 3719->3720 3720->3572 3722->3719 3723->3709 3725 40641b 17 API calls 3724->3725 3726 403efa SetWindowTextA 3725->3726 3726->3712 3728 404469 3727->3728 3729 40445a SendMessageA 3727->3729 3728->3718 3729->3728 3732 401390 3730->3732 3731 4013fe 3731->3718 3732->3731 3733 4013cb MulDiv SendMessageA 3732->3733 3733->3732 3734->3588 3736 405dde 3735->3736 3737 405dce 3735->3737 3739 405d45 CharNextA 3736->3739 3740 405dfe 3736->3740 3737->3736 3738 405dd9 CharNextA 3737->3738 3738->3740 3739->3736 3740->3591 3740->3592 3742 406715 FindClose 3741->3742 3743 406720 3741->3743 3742->3743 3743->3598 3745 406017 3744->3745 3746 40603d GetShortPathNameA 3744->3746 3771 405f1b GetFileAttributesA CreateFileA 3745->3771 3748 406052 3746->3748 3749 40615c 3746->3749 3748->3749 3751 40605a wsprintfA 3748->3751 3749->3620 3750 406021 CloseHandle GetShortPathNameA 3750->3749 3753 406035 3750->3753 3752 40641b 17 API calls 3751->3752 3754 406082 3752->3754 3753->3746 3753->3749 3772 405f1b GetFileAttributesA CreateFileA 3754->3772 3756 40608f 3756->3749 3757 40609e GetFileSize GlobalAlloc 3756->3757 3758 4060c0 3757->3758 3759 406155 CloseHandle 3757->3759 3760 405f93 ReadFile 3758->3760 3759->3749 3761 4060c8 3760->3761 3761->3759 3773 405e80 lstrlenA 3761->3773 3764 4060f3 3766 405e80 4 API calls 3764->3766 3765 4060df lstrcpyA 3767 406101 3765->3767 3766->3767 3768 406138 SetFilePointer 3767->3768 3769 405fc2 WriteFile 3768->3769 3770 40614e GlobalFree 3769->3770 3770->3759 3771->3750 3772->3756 3774 405ec1 lstrlenA 3773->3774 3775 405ec9 3774->3775 3776 405e9a lstrcmpiA 3774->3776 3775->3764 3775->3765 3776->3775 3777 405eb8 CharNextA 3776->3777 3777->3774 4044 404850 4045 404860 4044->4045 4046 404886 4044->4046 4051 404405 4045->4051 4054 40446c 4046->4054 4049 40486d SetDlgItemTextA 4049->4046 4052 40641b 17 API calls 4051->4052 4053 404410 SetDlgItemTextA 4052->4053 4053->4049 4055 40452f 4054->4055 4056 404484 GetWindowLongA 4054->4056 4056->4055 4057 404499 4056->4057 4057->4055 4058 4044c6 GetSysColor 4057->4058 4059 4044c9 4057->4059 4058->4059 4060 4044d9 SetBkMode 4059->4060 4061 4044cf SetTextColor 4059->4061 4062 4044f1 GetSysColor 4060->4062 4063 4044f7 4060->4063 4061->4060 4062->4063 4064 4044fe SetBkColor 4063->4064 4065 404508 4063->4065 4064->4065 4065->4055 4066 404522 CreateBrushIndirect 4065->4066 4067 40451b DeleteObject 4065->4067 4066->4055 4067->4066 4075 4014d6 4076 402c17 17 API calls 4075->4076 4077 4014dc Sleep 4076->4077 4079 402ac5 4077->4079 3873 401759 3874 402c39 17 API calls 3873->3874 3875 401760 3874->3875 3876 401786 3875->3876 3877 40177e 3875->3877 3913 406388 lstrcpynA 3876->3913 3912 406388 lstrcpynA 3877->3912 3880 401784 3884 406666 5 API calls 3880->3884 3881 401791 3882 405d1a 3 API calls 3881->3882 3883 401797 lstrcatA 3882->3883 3883->3880 3899 4017a3 3884->3899 3885 4066ff 2 API calls 3885->3899 3886 405ef6 2 API calls 3886->3899 3888 4017ba CompareFileTime 3888->3899 3889 40187e 3890 4054a9 24 API calls 3889->3890 3892 401888 3890->3892 3891 401855 3893 4054a9 24 API calls 3891->3893 3900 40186a 3891->3900 3894 4031fd 44 API calls 3892->3894 3893->3900 3895 40189b 3894->3895 3896 4018af SetFileTime 3895->3896 3898 4018c1 FindCloseChangeNotification 3895->3898 3896->3898 3897 40641b 17 API calls 3897->3899 3898->3900 3901 4018d2 3898->3901 3899->3885 3899->3886 3899->3888 3899->3889 3899->3891 3899->3897 3902 406388 lstrcpynA 3899->3902 3907 405a9e MessageBoxIndirectA 3899->3907 3911 405f1b GetFileAttributesA CreateFileA 3899->3911 3903 4018d7 3901->3903 3904 4018ea 3901->3904 3902->3899 3905 40641b 17 API calls 3903->3905 3906 40641b 17 API calls 3904->3906 3908 4018df lstrcatA 3905->3908 3909 4018f2 3906->3909 3907->3899 3908->3909 3910 405a9e MessageBoxIndirectA 3909->3910 3910->3900 3911->3899 3912->3880 3913->3881 4080 401659 4081 402c39 17 API calls 4080->4081 4082 40165f 4081->4082 4083 4066ff 2 API calls 4082->4083 4084 401665 4083->4084 4085 401959 4086 402c17 17 API calls 4085->4086 4087 401960 4086->4087 4088 402c17 17 API calls 4087->4088 4089 40196d 4088->4089 4090 402c39 17 API calls 4089->4090 4091 401984 lstrlenA 4090->4091 4093 401994 4091->4093 4092 4019d4 4093->4092 4097 406388 lstrcpynA 4093->4097 4095 4019c4 4095->4092 4096 4019c9 lstrlenA 4095->4096 4096->4092 4097->4095 4098 401a5e 4099 402c17 17 API calls 4098->4099 4100 401a67 4099->4100 4101 402c17 17 API calls 4100->4101 4102 401a0e 4101->4102 4103 401563 4104 402a42 4103->4104 4107 4062e6 wsprintfA 4104->4107 4106 402a47 4107->4106 4108 401b63 4109 402c39 17 API calls 4108->4109 4110 401b6a 4109->4110 4111 402c17 17 API calls 4110->4111 4112 401b73 wsprintfA 4111->4112 4113 402ac5 4112->4113 4114 100013a4 4121 10001426 4114->4121 4122 100013d0 4121->4122 4124 1000142f 4121->4124 4126 100010d0 GetVersionExA 4122->4126 4123 1000145f GlobalFree 4123->4122 4124->4122 4124->4123 4125 1000144b lstrcpynA 4124->4125 4125->4123 4127 10001106 4126->4127 4128 100010fc 4126->4128 4129 10001122 LoadLibraryW 4127->4129 4130 1000110e 4127->4130 4152 100014ba wsprintfA 4128->4152 4132 100011a5 4129->4132 4133 1000113b GetProcAddress 4129->4133 4130->4128 4131 10001225 LoadLibraryA 4130->4131 4131->4128 4136 1000123d GetProcAddress GetProcAddress GetProcAddress 4131->4136 4132->4128 4141 100011c1 WideCharToMultiByte lstrcmpiA 4132->4141 4143 10001217 LocalFree 4132->4143 4145 100011f7 4132->4145 4134 1000118e 4133->4134 4135 1000114e LocalAlloc 4133->4135 4138 1000119a FreeLibrary 4134->4138 4137 10001189 4135->4137 4139 10001323 FreeLibrary 4136->4139 4150 1000126b 4136->4150 4137->4134 4140 1000115c NtQuerySystemInformation 4137->4140 4138->4132 4139->4128 4140->4138 4142 1000116f LocalFree 4140->4142 4141->4132 4142->4134 4144 10001180 LocalAlloc 4142->4144 4143->4128 4144->4137 4145->4132 4146 1000103f 8 API calls 4145->4146 4146->4145 4147 100012a2 lstrlenA 4147->4150 4148 1000131c CloseHandle 4148->4139 4149 100012c4 lstrcpynA lstrcmpiA 4149->4150 4150->4139 4150->4147 4150->4148 4150->4149 4151 1000103f 8 API calls 4150->4151 4151->4150 4155 10001475 4152->4155 4156 100013e3 4155->4156 4157 1000147e GlobalAlloc lstrcpynA 4155->4157 4157->4156 4158 401d65 4159 401d78 GetDlgItem 4158->4159 4160 401d6b 4158->4160 4161 401d72 4159->4161 4162 402c17 17 API calls 4160->4162 4163 401db9 GetClientRect LoadImageA SendMessageA 4161->4163 4164 402c39 17 API calls 4161->4164 4162->4161 4166 401e26 4163->4166 4167 401e1a 4163->4167 4164->4163 4167->4166 4168 401e1f DeleteObject 4167->4168 4168->4166 3376 10001426 3377 1000146f 3376->3377 3379 1000142f 3376->3379 3378 1000145f GlobalFree 3378->3377 3379->3377 3379->3378 3380 1000144b lstrcpynA 3379->3380 3380->3378 4169 402766 4170 40276c 4169->4170 4171 402774 FindClose 4170->4171 4172 402ac5 4170->4172 4171->4172 4173 4055e7 4174 405792 4173->4174 4175 405609 GetDlgItem GetDlgItem GetDlgItem 4173->4175 4177 40579a GetDlgItem CreateThread CloseHandle 4174->4177 4180 4057c2 4174->4180 4218 40443a SendMessageA 4175->4218 4177->4180 4178 405679 4184 405680 GetClientRect GetSystemMetrics SendMessageA SendMessageA 4178->4184 4179 4057f0 4183 40584b 4179->4183 4186 405800 4179->4186 4187 405824 ShowWindow 4179->4187 4180->4179 4181 405811 4180->4181 4182 4057d8 ShowWindow ShowWindow 4180->4182 4188 40446c 8 API calls 4181->4188 4220 40443a SendMessageA 4182->4220 4183->4181 4193 405858 SendMessageA 4183->4193 4191 4056d2 SendMessageA SendMessageA 4184->4191 4192 4056ee 4184->4192 4221 4043de 4186->4221 4189 405844 4187->4189 4190 405836 4187->4190 4195 40581d 4188->4195 4197 4043de SendMessageA 4189->4197 4196 4054a9 24 API calls 4190->4196 4191->4192 4198 405701 4192->4198 4199 4056f3 SendMessageA 4192->4199 4193->4195 4200 405871 CreatePopupMenu 4193->4200 4196->4189 4197->4183 4202 404405 18 API calls 4198->4202 4199->4198 4201 40641b 17 API calls 4200->4201 4203 405881 AppendMenuA 4201->4203 4204 405711 4202->4204 4205 4058b2 TrackPopupMenu 4203->4205 4206 40589f GetWindowRect 4203->4206 4207 40571a ShowWindow 4204->4207 4208 40574e GetDlgItem SendMessageA 4204->4208 4205->4195 4210 4058ce 4205->4210 4206->4205 4211 405730 ShowWindow 4207->4211 4212 40573d 4207->4212 4208->4195 4209 405775 SendMessageA SendMessageA 4208->4209 4209->4195 4213 4058ed SendMessageA 4210->4213 4211->4212 4219 40443a SendMessageA 4212->4219 4213->4213 4214 40590a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4213->4214 4216 40592c SendMessageA 4214->4216 4216->4216 4217 40594e GlobalUnlock SetClipboardData CloseClipboard 4216->4217 4217->4195 4218->4178 4219->4208 4220->4179 4222 4043e5 4221->4222 4223 4043eb SendMessageA 4221->4223 4222->4223 4223->4181 4224 404be8 4225 404c14 4224->4225 4226 404bf8 4224->4226 4228 404c47 4225->4228 4229 404c1a SHGetPathFromIDListA 4225->4229 4235 405a82 GetDlgItemTextA 4226->4235 4231 404c31 SendMessageA 4229->4231 4232 404c2a 4229->4232 4230 404c05 SendMessageA 4230->4225 4231->4228 4233 40140b 2 API calls 4232->4233 4233->4231 4235->4230 4236 4023e8 4237 402c39 17 API calls 4236->4237 4238 4023f9 4237->4238 4239 402c39 17 API calls 4238->4239 4240 402402 4239->4240 4241 402c39 17 API calls 4240->4241 4242 40240c GetPrivateProfileStringA 4241->4242 4243 4027e8 4244 402c39 17 API calls 4243->4244 4245 4027f4 4244->4245 4246 40280a 4245->4246 4247 402c39 17 API calls 4245->4247 4248 405ef6 2 API calls 4246->4248 4247->4246 4249 402810 4248->4249 4271 405f1b GetFileAttributesA CreateFileA 4249->4271 4251 40281d 4252 4028d9 4251->4252 4253 4028c1 4251->4253 4254 402838 GlobalAlloc 4251->4254 4255 4028e0 DeleteFileA 4252->4255 4256 4028f3 4252->4256 4258 4031fd 44 API calls 4253->4258 4254->4253 4257 402851 4254->4257 4255->4256 4272 403484 SetFilePointer 4257->4272 4260 4028ce CloseHandle 4258->4260 4260->4252 4261 402857 4262 40346e ReadFile 4261->4262 4263 402860 GlobalAlloc 4262->4263 4264 402870 4263->4264 4265 4028aa 4263->4265 4267 4031fd 44 API calls 4264->4267 4266 405fc2 WriteFile 4265->4266 4268 4028b6 GlobalFree 4266->4268 4270 40287d 4267->4270 4268->4253 4269 4028a1 GlobalFree 4269->4265 4270->4269 4271->4251 4272->4261 4273 40166a 4274 402c39 17 API calls 4273->4274 4275 401671 4274->4275 4276 402c39 17 API calls 4275->4276 4277 40167a 4276->4277 4278 402c39 17 API calls 4277->4278 4279 401683 MoveFileA 4278->4279 4280 401696 4279->4280 4286 40168f 4279->4286 4282 4066ff 2 API calls 4280->4282 4284 4022ea 4280->4284 4281 401423 24 API calls 4281->4284 4283 4016a5 4282->4283 4283->4284 4285 406161 36 API calls 4283->4285 4285->4286 4286->4281 4294 4019ed 4295 402c39 17 API calls 4294->4295 4296 4019f4 4295->4296 4297 402c39 17 API calls 4296->4297 4298 4019fd 4297->4298 4299 401a04 lstrcmpiA 4298->4299 4300 401a16 lstrcmpA 4298->4300 4301 401a0a 4299->4301 4300->4301 4302 40156f 4303 401586 4302->4303 4304 40157f ShowWindow 4302->4304 4305 401594 ShowWindow 4303->4305 4306 402ac5 4303->4306 4304->4303 4305->4306 4307 404570 4308 404586 4307->4308 4313 404692 4307->4313 4311 404405 18 API calls 4308->4311 4309 404701 4310 4047cb 4309->4310 4312 40470b GetDlgItem 4309->4312 4319 40446c 8 API calls 4310->4319 4314 4045dc 4311->4314 4315 404721 4312->4315 4316 404789 4312->4316 4313->4309 4313->4310 4317 4046d6 GetDlgItem SendMessageA 4313->4317 4318 404405 18 API calls 4314->4318 4315->4316 4320 404747 SendMessageA LoadCursorA SetCursor 4315->4320 4316->4310 4321 40479b 4316->4321 4340 404427 EnableWindow 4317->4340 4323 4045e9 CheckDlgButton 4318->4323 4324 4047c6 4319->4324 4344 404814 4320->4344 4326 4047a1 SendMessageA 4321->4326 4327 4047b2 4321->4327 4338 404427 EnableWindow 4323->4338 4326->4327 4327->4324 4331 4047b8 SendMessageA 4327->4331 4328 4046fc 4341 4047f0 4328->4341 4331->4324 4333 404607 GetDlgItem 4339 40443a SendMessageA 4333->4339 4335 40461d SendMessageA 4336 404644 SendMessageA SendMessageA lstrlenA SendMessageA SendMessageA 4335->4336 4337 40463b GetSysColor 4335->4337 4336->4324 4337->4336 4338->4333 4339->4335 4340->4328 4342 404803 SendMessageA 4341->4342 4343 4047fe 4341->4343 4342->4309 4343->4342 4347 405a64 ShellExecuteExA 4344->4347 4346 40477a LoadCursorA SetCursor 4346->4316 4347->4346 4348 402173 4349 402c39 17 API calls 4348->4349 4350 40217a 4349->4350 4351 402c39 17 API calls 4350->4351 4352 402184 4351->4352 4353 402c39 17 API calls 4352->4353 4354 40218e 4353->4354 4355 402c39 17 API calls 4354->4355 4356 40219b 4355->4356 4357 402c39 17 API calls 4356->4357 4358 4021a5 4357->4358 4359 4021e7 CoCreateInstance 4358->4359 4360 402c39 17 API calls 4358->4360 4363 402206 4359->4363 4365 4022b4 4359->4365 4360->4359 4361 401423 24 API calls 4362 4022ea 4361->4362 4364 402294 MultiByteToWideChar 4363->4364 4363->4365 4364->4365 4365->4361 4365->4362 4366 4022f3 4367 402c39 17 API calls 4366->4367 4368 4022f9 4367->4368 4369 402c39 17 API calls 4368->4369 4370 402302 4369->4370 4371 402c39 17 API calls 4370->4371 4372 40230b 4371->4372 4373 4066ff 2 API calls 4372->4373 4374 402314 4373->4374 4375 402325 lstrlenA lstrlenA 4374->4375 4376 402318 4374->4376 4378 4054a9 24 API calls 4375->4378 4377 4054a9 24 API calls 4376->4377 4379 402320 4376->4379 4377->4379 4380 402361 SHFileOperationA 4378->4380 4380->4376 4380->4379 4381 4014f4 SetForegroundWindow 4382 402ac5 4381->4382 4383 402375 4384 40237c 4383->4384 4388 40238f 4383->4388 4385 40641b 17 API calls 4384->4385 4386 402389 4385->4386 4387 405a9e MessageBoxIndirectA 4386->4387 4387->4388 4389 402675 4390 402c17 17 API calls 4389->4390 4391 40267f 4390->4391 4392 405f93 ReadFile 4391->4392 4393 4026ef 4391->4393 4396 4026ff 4391->4396 4397 4026ed 4391->4397 4392->4391 4398 4062e6 wsprintfA 4393->4398 4395 402715 SetFilePointer 4395->4397 4396->4395 4396->4397 4398->4397 4399 4029f6 4400 402a49 4399->4400 4401 4029fd 4399->4401 4402 406794 5 API calls 4400->4402 4403 402c17 17 API calls 4401->4403 4409 402a47 4401->4409 4404 402a50 4402->4404 4405 402a0b 4403->4405 4406 402c39 17 API calls 4404->4406 4407 402c17 17 API calls 4405->4407 4408 402a59 4406->4408 4411 402a1a 4407->4411 4408->4409 4417 4063db 4408->4417 4416 4062e6 wsprintfA 4411->4416 4413 402a67 4413->4409 4421 4063c5 4413->4421 4416->4409 4419 4063e6 4417->4419 4418 406409 IIDFromString 4418->4413 4419->4418 4420 406402 4419->4420 4420->4413 4424 4063aa WideCharToMultiByte 4421->4424 4423 402a88 CoTaskMemFree 4423->4409 4424->4423 4425 401ef9 4426 402c39 17 API calls 4425->4426 4427 401eff 4426->4427 4428 402c39 17 API calls 4427->4428 4429 401f08 4428->4429 4430 402c39 17 API calls 4429->4430 4431 401f11 4430->4431 4432 402c39 17 API calls 4431->4432 4433 401f1a 4432->4433 4434 401423 24 API calls 4433->4434 4435 401f21 4434->4435 4442 405a64 ShellExecuteExA 4435->4442 4437 401f5c 4438 406809 5 API calls 4437->4438 4439 4027c8 4437->4439 4440 401f76 CloseHandle 4438->4440 4440->4439 4442->4437 3914 401f7b 3915 402c39 17 API calls 3914->3915 3916 401f81 3915->3916 3917 4054a9 24 API calls 3916->3917 3918 401f8b 3917->3918 3919 405a21 2 API calls 3918->3919 3920 401f91 3919->3920 3923 4027c8 3920->3923 3928 401fb2 CloseHandle 3920->3928 3929 406809 WaitForSingleObject 3920->3929 3924 401fa6 3925 401fb4 3924->3925 3926 401fab 3924->3926 3925->3928 3934 4062e6 wsprintfA 3926->3934 3928->3923 3930 406823 3929->3930 3931 406835 GetExitCodeProcess 3930->3931 3932 4067d0 2 API calls 3930->3932 3931->3924 3933 40682a WaitForSingleObject 3932->3933 3933->3930 3934->3928 4450 401ffb 4451 402c39 17 API calls 4450->4451 4452 402002 4451->4452 4453 406794 5 API calls 4452->4453 4454 402011 4453->4454 4455 402099 4454->4455 4456 402029 GlobalAlloc 4454->4456 4456->4455 4457 40203d 4456->4457 4458 406794 5 API calls 4457->4458 4459 402044 4458->4459 4460 406794 5 API calls 4459->4460 4461 40204e 4460->4461 4461->4455 4465 4062e6 wsprintfA 4461->4465 4463 402089 4466 4062e6 wsprintfA 4463->4466 4465->4463 4466->4455 3956 403a7c 3957 403a97 3956->3957 3958 403a8d CloseHandle 3956->3958 3959 403aa1 CloseHandle 3957->3959 3960 403aab 3957->3960 3958->3957 3959->3960 3965 403ad9 3960->3965 3963 405b4a 67 API calls 3964 403abc 3963->3964 3966 403ae7 3965->3966 3967 403ab0 3966->3967 3968 403aec FreeLibrary GlobalFree 3966->3968 3967->3963 3968->3967 3968->3968 4467 4018fd 4468 401934 4467->4468 4469 402c39 17 API calls 4468->4469 4470 401939 4469->4470 4471 405b4a 67 API calls 4470->4471 4472 401942 4471->4472 3969 40247e 3970 402c39 17 API calls 3969->3970 3971 402490 3970->3971 3972 402c39 17 API calls 3971->3972 3973 40249a 3972->3973 3986 402cc9 3973->3986 3976 402ac5 3977 4024cf 3979 4024db 3977->3979 3990 402c17 3977->3990 3978 402c39 17 API calls 3980 4024c8 lstrlenA 3978->3980 3982 4024fd RegSetValueExA 3979->3982 3983 4031fd 44 API calls 3979->3983 3980->3977 3984 402513 RegCloseKey 3982->3984 3983->3982 3984->3976 3987 402ce4 3986->3987 3993 40623c 3987->3993 3991 40641b 17 API calls 3990->3991 3992 402c2c 3991->3992 3992->3979 3994 40624b 3993->3994 3995 4024aa 3994->3995 3996 406256 RegCreateKeyExA 3994->3996 3995->3976 3995->3977 3995->3978 3996->3995 4473 401cfe 4474 402c17 17 API calls 4473->4474 4475 401d04 IsWindow 4474->4475 4476 401a0e 4475->4476 4477 401000 4478 401037 BeginPaint GetClientRect 4477->4478 4479 40100c DefWindowProcA 4477->4479 4481 4010f3 4478->4481 4482 401179 4479->4482 4483 401073 CreateBrushIndirect FillRect DeleteObject 4481->4483 4484 4010fc 4481->4484 4483->4481 4485 401102 CreateFontIndirectA 4484->4485 4486 401167 EndPaint 4484->4486 4485->4486 4487 401112 6 API calls 4485->4487 4486->4482 4487->4486 4488 401900 4489 402c39 17 API calls 4488->4489 4490 401907 4489->4490 4491 405a9e MessageBoxIndirectA 4490->4491 4492 401910 4491->4492 4493 402780 4494 402786 4493->4494 4495 40278a FindNextFileA 4494->4495 4496 40279c 4494->4496 4495->4496 4497 4027db 4495->4497 4499 406388 lstrcpynA 4497->4499 4499->4496 4500 401502 4501 40150a 4500->4501 4503 40151d 4500->4503 4502 402c17 17 API calls 4501->4502 4502->4503 4504 401b87 4505 401b94 4504->4505 4506 401bd8 4504->4506 4507 401c1c 4505->4507 4513 401bab 4505->4513 4508 401c01 GlobalAlloc 4506->4508 4509 401bdc 4506->4509 4511 40641b 17 API calls 4507->4511 4518 40238f 4507->4518 4510 40641b 17 API calls 4508->4510 4509->4518 4525 406388 lstrcpynA 4509->4525 4510->4507 4512 402389 4511->4512 4517 405a9e MessageBoxIndirectA 4512->4517 4523 406388 lstrcpynA 4513->4523 4516 401bee GlobalFree 4516->4518 4517->4518 4519 401bba 4524 406388 lstrcpynA 4519->4524 4521 401bc9 4526 406388 lstrcpynA 4521->4526 4523->4519 4524->4521 4525->4516 4526->4518 4527 406a88 4531 40690c 4527->4531 4528 407277 4529 406996 GlobalAlloc 4529->4528 4529->4531 4530 40698d GlobalFree 4530->4529 4531->4528 4531->4529 4531->4530 4532 406a04 GlobalFree 4531->4532 4533 406a0d GlobalAlloc 4531->4533 4532->4533 4533->4528 4533->4531 3381 401389 3383 401390 3381->3383 3382 4013fe 3383->3382 3384 4013cb MulDiv SendMessageA 3383->3384 3384->3383 4534 404e0a GetDlgItem GetDlgItem 4535 404e60 7 API calls 4534->4535 4542 405087 4534->4542 4536 404f08 DeleteObject 4535->4536 4537 404efc SendMessageA 4535->4537 4538 404f13 4536->4538 4537->4536 4540 404f4a 4538->4540 4543 40641b 17 API calls 4538->4543 4539 405169 4541 405215 4539->4541 4545 40507a 4539->4545 4551 4051c2 SendMessageA 4539->4551 4544 404405 18 API calls 4540->4544 4546 405227 4541->4546 4547 40521f SendMessageA 4541->4547 4542->4539 4566 4050f6 4542->4566 4588 404d58 SendMessageA 4542->4588 4548 404f2c SendMessageA SendMessageA 4543->4548 4549 404f5e 4544->4549 4553 40446c 8 API calls 4545->4553 4558 405240 4546->4558 4559 405239 ImageList_Destroy 4546->4559 4563 405250 4546->4563 4547->4546 4548->4538 4550 404405 18 API calls 4549->4550 4567 404f6f 4550->4567 4551->4545 4556 4051d7 SendMessageA 4551->4556 4552 40515b SendMessageA 4552->4539 4557 405416 4553->4557 4555 4053ca 4555->4545 4564 4053dc ShowWindow GetDlgItem ShowWindow 4555->4564 4561 4051ea 4556->4561 4562 405249 GlobalFree 4558->4562 4558->4563 4559->4558 4560 405049 GetWindowLongA SetWindowLongA 4565 405062 4560->4565 4573 4051fb SendMessageA 4561->4573 4562->4563 4563->4555 4568 40528b 4563->4568 4593 404dd8 4563->4593 4564->4545 4569 405067 ShowWindow 4565->4569 4570 40507f 4565->4570 4566->4539 4566->4552 4567->4560 4572 404fc1 SendMessageA 4567->4572 4574 405044 4567->4574 4576 405013 SendMessageA 4567->4576 4577 404fff SendMessageA 4567->4577 4581 4052b9 SendMessageA 4568->4581 4585 4052cf 4568->4585 4586 40443a SendMessageA 4569->4586 4587 40443a SendMessageA 4570->4587 4572->4567 4573->4541 4574->4560 4574->4565 4576->4567 4577->4567 4579 405395 4580 4053a0 InvalidateRect 4579->4580 4582 4053ac 4579->4582 4580->4582 4581->4585 4582->4555 4602 404d13 4582->4602 4584 405343 SendMessageA SendMessageA 4584->4585 4585->4579 4585->4584 4586->4545 4587->4542 4589 404db7 SendMessageA 4588->4589 4590 404d7b GetMessagePos ScreenToClient SendMessageA 4588->4590 4592 404daf 4589->4592 4591 404db4 4590->4591 4590->4592 4591->4589 4592->4566 4605 406388 lstrcpynA 4593->4605 4595 404deb 4606 4062e6 wsprintfA 4595->4606 4597 404df5 4598 40140b 2 API calls 4597->4598 4599 404dfe 4598->4599 4607 406388 lstrcpynA 4599->4607 4601 404e05 4601->4568 4608 404c4e 4602->4608 4604 404d28 4604->4555 4605->4595 4606->4597 4607->4601 4609 404c64 4608->4609 4610 40641b 17 API calls 4609->4610 4611 404cc8 4610->4611 4612 40641b 17 API calls 4611->4612 4613 404cd3 4612->4613 4614 40641b 17 API calls 4613->4614 4615 404ce9 lstrlenA wsprintfA SetDlgItemTextA 4614->4615 4615->4604 4616 40298a 4617 402c17 17 API calls 4616->4617 4619 402990 4617->4619 4618 40641b 17 API calls 4620 4027c8 4618->4620 4619->4618 4619->4620 4621 403f0b 4622 403f23 4621->4622 4623 404084 4621->4623 4622->4623 4624 403f2f 4622->4624 4625 4040d5 4623->4625 4626 404095 GetDlgItem GetDlgItem 4623->4626 4627 403f3a SetWindowPos 4624->4627 4628 403f4d 4624->4628 4630 40412f 4625->4630 4641 401389 2 API calls 4625->4641 4629 404405 18 API calls 4626->4629 4627->4628 4632 403f56 ShowWindow 4628->4632 4633 403f98 4628->4633 4634 4040bf SetClassLongA 4629->4634 4631 404451 SendMessageA 4630->4631 4635 40407f 4630->4635 4662 404141 4631->4662 4636 404042 4632->4636 4637 403f76 GetWindowLongA 4632->4637 4638 403fa0 DestroyWindow 4633->4638 4639 403fb7 4633->4639 4640 40140b 2 API calls 4634->4640 4642 40446c 8 API calls 4636->4642 4637->4636 4643 403f8f ShowWindow 4637->4643 4691 40438e 4638->4691 4644 403fbc SetWindowLongA 4639->4644 4645 403fcd 4639->4645 4640->4625 4646 404107 4641->4646 4642->4635 4643->4633 4644->4635 4645->4636 4650 403fd9 GetDlgItem 4645->4650 4646->4630 4647 40410b SendMessageA 4646->4647 4647->4635 4648 40140b 2 API calls 4648->4662 4649 404390 DestroyWindow EndDialog 4649->4691 4652 404007 4650->4652 4653 403fea SendMessageA IsWindowEnabled 4650->4653 4651 4043bf ShowWindow 4651->4635 4655 404014 4652->4655 4656 40405b SendMessageA 4652->4656 4657 404027 4652->4657 4665 40400c 4652->4665 4653->4635 4653->4652 4654 40641b 17 API calls 4654->4662 4655->4656 4655->4665 4656->4636 4660 404044 4657->4660 4661 40402f 4657->4661 4658 4043de SendMessageA 4658->4636 4659 404405 18 API calls 4659->4662 4664 40140b 2 API calls 4660->4664 4663 40140b 2 API calls 4661->4663 4662->4635 4662->4648 4662->4649 4662->4654 4662->4659 4666 404405 18 API calls 4662->4666 4682 4042d0 DestroyWindow 4662->4682 4663->4665 4664->4665 4665->4636 4665->4658 4667 4041bc GetDlgItem 4666->4667 4668 4041d1 4667->4668 4669 4041d9 ShowWindow EnableWindow 4667->4669 4668->4669 4692 404427 EnableWindow 4669->4692 4671 404203 EnableWindow 4676 404217 4671->4676 4672 40421c GetSystemMenu EnableMenuItem SendMessageA 4673 40424c SendMessageA 4672->4673 4672->4676 4673->4676 4675 403eec 18 API calls 4675->4676 4676->4672 4676->4675 4693 40443a SendMessageA 4676->4693 4694 406388 lstrcpynA 4676->4694 4678 40427b lstrlenA 4679 40641b 17 API calls 4678->4679 4680 40428c SetWindowTextA 4679->4680 4681 401389 2 API calls 4680->4681 4681->4662 4683 4042ea CreateDialogParamA 4682->4683 4682->4691 4684 40431d 4683->4684 4683->4691 4685 404405 18 API calls 4684->4685 4686 404328 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4685->4686 4687 401389 2 API calls 4686->4687 4688 40436e 4687->4688 4688->4635 4689 404376 ShowWindow 4688->4689 4690 404451 SendMessageA 4689->4690 4690->4691 4691->4635 4691->4651 4692->4671 4693->4676 4694->4678 4695 40260c 4696 402c39 17 API calls 4695->4696 4697 402613 4696->4697 4700 405f1b GetFileAttributesA CreateFileA 4697->4700 4699 40261f 4700->4699 3778 100010d0 GetVersionExA 3779 10001106 3778->3779 3780 100010fc 3778->3780 3781 10001122 LoadLibraryW 3779->3781 3782 1000110e 3779->3782 3784 100011a5 3781->3784 3785 1000113b GetProcAddress 3781->3785 3782->3780 3783 10001225 LoadLibraryA 3782->3783 3783->3780 3788 1000123d GetProcAddress GetProcAddress GetProcAddress 3783->3788 3784->3780 3793 100011c1 WideCharToMultiByte lstrcmpiA 3784->3793 3795 10001217 LocalFree 3784->3795 3797 100011f7 3784->3797 3786 1000118e 3785->3786 3787 1000114e LocalAlloc 3785->3787 3790 1000119a FreeLibrary 3786->3790 3789 10001189 3787->3789 3791 10001323 FreeLibrary 3788->3791 3802 1000126b 3788->3802 3789->3786 3792 1000115c NtQuerySystemInformation 3789->3792 3790->3784 3791->3780 3792->3790 3794 1000116f LocalFree 3792->3794 3793->3784 3794->3786 3796 10001180 LocalAlloc 3794->3796 3795->3780 3796->3789 3797->3784 3804 1000103f OpenProcess 3797->3804 3799 100012a2 lstrlenA 3799->3802 3800 1000131c CloseHandle 3800->3791 3801 100012c4 lstrcpynA lstrcmpiA 3801->3802 3802->3791 3802->3799 3802->3800 3802->3801 3803 1000103f 8 API calls 3802->3803 3803->3802 3805 10001060 3804->3805 3806 100010cb 3804->3806 3807 1000106b EnumWindows 3805->3807 3808 100010ac TerminateProcess 3805->3808 3806->3797 3807->3808 3809 1000107f GetExitCodeProcess 3807->3809 3814 10001007 GetWindowThreadProcessId 3807->3814 3810 100010be CloseHandle 3808->3810 3811 100010a7 3808->3811 3809->3811 3812 1000108e 3809->3812 3810->3806 3811->3810 3812->3811 3813 10001097 WaitForSingleObject 3812->3813 3813->3808 3813->3811 3815 10001024 PostMessageA 3814->3815 3816 10001036 3814->3816 3815->3816 4701 401490 4702 4054a9 24 API calls 4701->4702 4703 401497 4702->4703 4704 402590 4705 402c79 17 API calls 4704->4705 4706 40259a 4705->4706 4707 402c17 17 API calls 4706->4707 4708 4025a3 4707->4708 4709 4025ca RegEnumValueA 4708->4709 4710 4025be RegEnumKeyA 4708->4710 4712 4027c8 4708->4712 4711 4025df RegCloseKey 4709->4711 4710->4711 4711->4712 4714 406d91 4716 40690c 4714->4716 4715 407277 4716->4715 4716->4716 4717 406996 GlobalAlloc 4716->4717 4718 40698d GlobalFree 4716->4718 4719 406a04 GlobalFree 4716->4719 4720 406a0d GlobalAlloc 4716->4720 4717->4715 4717->4716 4718->4717 4719->4720 4720->4715 4720->4716 4721 404897 4722 4048c3 4721->4722 4723 4048d4 4721->4723 4782 405a82 GetDlgItemTextA 4722->4782 4725 4048e0 GetDlgItem 4723->4725 4726 40493f 4723->4726 4728 4048f4 4725->4728 4733 40641b 17 API calls 4726->4733 4742 404a23 4726->4742 4780 404bcd 4726->4780 4727 4048ce 4729 406666 5 API calls 4727->4729 4731 404908 SetWindowTextA 4728->4731 4732 405db3 4 API calls 4728->4732 4729->4723 4735 404405 18 API calls 4731->4735 4737 4048fe 4732->4737 4738 4049b3 SHBrowseForFolderA 4733->4738 4734 404a53 4739 405e08 18 API calls 4734->4739 4740 404924 4735->4740 4736 40446c 8 API calls 4741 404be1 4736->4741 4737->4731 4746 405d1a 3 API calls 4737->4746 4738->4742 4743 4049cb CoTaskMemFree 4738->4743 4744 404a59 4739->4744 4745 404405 18 API calls 4740->4745 4742->4780 4784 405a82 GetDlgItemTextA 4742->4784 4747 405d1a 3 API calls 4743->4747 4785 406388 lstrcpynA 4744->4785 4748 404932 4745->4748 4746->4731 4749 4049d8 4747->4749 4783 40443a SendMessageA 4748->4783 4752 404a0f SetDlgItemTextA 4749->4752 4757 40641b 17 API calls 4749->4757 4752->4742 4753 404938 4755 406794 5 API calls 4753->4755 4754 404a70 4756 406794 5 API calls 4754->4756 4755->4726 4763 404a77 4756->4763 4758 4049f7 lstrcmpiA 4757->4758 4758->4752 4761 404a08 lstrcatA 4758->4761 4759 404ab3 4786 406388 lstrcpynA 4759->4786 4761->4752 4762 404aba 4764 405db3 4 API calls 4762->4764 4763->4759 4767 405d61 2 API calls 4763->4767 4769 404b0b 4763->4769 4765 404ac0 GetDiskFreeSpaceA 4764->4765 4768 404ae4 MulDiv 4765->4768 4765->4769 4767->4763 4768->4769 4770 404b7c 4769->4770 4772 404d13 20 API calls 4769->4772 4771 404b9f 4770->4771 4773 40140b 2 API calls 4770->4773 4787 404427 EnableWindow 4771->4787 4774 404b69 4772->4774 4773->4771 4776 404b7e SetDlgItemTextA 4774->4776 4777 404b6e 4774->4777 4776->4770 4779 404c4e 20 API calls 4777->4779 4778 404bbb 4778->4780 4781 4047f0 SendMessageA 4778->4781 4779->4770 4780->4736 4781->4780 4782->4727 4783->4753 4784->4734 4785->4754 4786->4762 4787->4778 4788 40541d 4789 405441 4788->4789 4790 40542d 4788->4790 4793 405449 IsWindowVisible 4789->4793 4799 405460 4789->4799 4791 405433 4790->4791 4792 40548a 4790->4792 4794 404451 SendMessageA 4791->4794 4796 40548f CallWindowProcA 4792->4796 4793->4792 4795 405456 4793->4795 4797 40543d 4794->4797 4798 404d58 5 API calls 4795->4798 4796->4797 4798->4799 4799->4796 4800 404dd8 4 API calls 4799->4800 4800->4792 4801 40149d 4802 4014ab PostQuitMessage 4801->4802 4803 40238f 4801->4803 4802->4803 4804 40159d 4805 402c39 17 API calls 4804->4805 4806 4015a4 SetFileAttributesA 4805->4806 4807 4015b6 4806->4807 3997 40251e 4008 402c79 3997->4008 4000 402c39 17 API calls 4001 402531 4000->4001 4002 40253b RegQueryValueExA 4001->4002 4006 4027c8 4001->4006 4003 402561 RegCloseKey 4002->4003 4004 40255b 4002->4004 4003->4006 4004->4003 4013 4062e6 wsprintfA 4004->4013 4009 402c39 17 API calls 4008->4009 4010 402c90 4009->4010 4011 40620e RegOpenKeyExA 4010->4011 4012 402528 4011->4012 4012->4000 4013->4003 4808 401a1e 4809 402c39 17 API calls 4808->4809 4810 401a27 ExpandEnvironmentStringsA 4809->4810 4811 401a3b 4810->4811 4813 401a4e 4810->4813 4812 401a40 lstrcmpA 4811->4812 4811->4813 4812->4813 4819 40171f 4820 402c39 17 API calls 4819->4820 4821 401726 SearchPathA 4820->4821 4822 401741 4821->4822 4823 401d1f 4824 402c17 17 API calls 4823->4824 4825 401d26 4824->4825 4826 402c17 17 API calls 4825->4826 4827 401d32 GetDlgItem 4826->4827 4828 402628 4827->4828 4829 402aa0 SendMessageA 4830 402ac5 4829->4830 4831 402aba InvalidateRect 4829->4831 4831->4830 4832 10001363 4833 10001426 2 API calls 4832->4833 4834 1000138f 4833->4834 4835 100010d0 28 API calls 4834->4835 4836 10001399 4835->4836 4837 100014ba 3 API calls 4836->4837 4838 100013a2 4837->4838 4839 4023a4 4840 4023b2 4839->4840 4841 4023ac 4839->4841 4843 4023c2 4840->4843 4845 402c39 17 API calls 4840->4845 4842 402c39 17 API calls 4841->4842 4842->4840 4844 4023d0 4843->4844 4846 402c39 17 API calls 4843->4846 4847 402c39 17 API calls 4844->4847 4845->4843 4846->4844 4848 4023d9 WritePrivateProfileStringA 4847->4848 3286 4020a5 3287 4020b7 3286->3287 3297 402165 3286->3297 3304 402c39 3287->3304 3289 401423 24 API calls 3292 4022ea 3289->3292 3291 402c39 17 API calls 3293 4020c7 3291->3293 3294 4020dc LoadLibraryExA 3293->3294 3295 4020cf GetModuleHandleA 3293->3295 3296 4020ec GetProcAddress 3294->3296 3294->3297 3295->3294 3295->3296 3298 402138 3296->3298 3299 4020fb 3296->3299 3297->3289 3313 4054a9 3298->3313 3302 40210b 3299->3302 3310 401423 3299->3310 3302->3292 3303 402159 FreeLibrary 3302->3303 3303->3292 3305 402c45 3304->3305 3324 40641b 3305->3324 3307 4020be 3307->3291 3311 4054a9 24 API calls 3310->3311 3312 401431 3311->3312 3312->3302 3314 4054c4 3313->3314 3323 405567 3313->3323 3315 4054e1 lstrlenA 3314->3315 3316 40641b 17 API calls 3314->3316 3317 40550a 3315->3317 3318 4054ef lstrlenA 3315->3318 3316->3315 3320 405510 SetWindowTextA 3317->3320 3321 40551d 3317->3321 3319 405501 lstrcatA 3318->3319 3318->3323 3319->3317 3320->3321 3322 405523 SendMessageA SendMessageA SendMessageA 3321->3322 3321->3323 3322->3323 3323->3302 3325 406428 3324->3325 3326 40664d 3325->3326 3329 406627 lstrlenA 3325->3329 3330 40641b 10 API calls 3325->3330 3334 406543 GetSystemDirectoryA 3325->3334 3335 406556 GetWindowsDirectoryA 3325->3335 3336 406666 5 API calls 3325->3336 3337 40641b 10 API calls 3325->3337 3338 4065d0 lstrcatA 3325->3338 3339 40658a SHGetSpecialFolderLocation 3325->3339 3350 40626f 3325->3350 3355 4062e6 wsprintfA 3325->3355 3356 406388 lstrcpynA 3325->3356 3327 402c66 3326->3327 3357 406388 lstrcpynA 3326->3357 3327->3307 3341 406666 3327->3341 3329->3325 3330->3329 3334->3325 3335->3325 3336->3325 3337->3325 3338->3325 3339->3325 3340 4065a2 SHGetPathFromIDListA CoTaskMemFree 3339->3340 3340->3325 3347 406672 3341->3347 3342 4066da 3343 4066de CharPrevA 3342->3343 3346 4066f9 3342->3346 3343->3342 3344 4066cf CharNextA 3344->3342 3344->3347 3346->3307 3347->3342 3347->3344 3348 4066bd CharNextA 3347->3348 3349 4066ca CharNextA 3347->3349 3362 405d45 3347->3362 3348->3347 3349->3344 3358 40620e 3350->3358 3353 4062a3 RegQueryValueExA RegCloseKey 3354 4062d2 3353->3354 3354->3325 3355->3325 3356->3325 3357->3327 3359 40621d 3358->3359 3360 406221 3359->3360 3361 406226 RegOpenKeyExA 3359->3361 3360->3353 3360->3354 3361->3360 3363 405d4b 3362->3363 3364 405d5e 3363->3364 3365 405d51 CharNextA 3363->3365 3364->3347 3365->3363 4849 402e25 4850 402e34 SetTimer 4849->4850 4851 402e4d 4849->4851 4850->4851 4852 402e9b 4851->4852 4853 402ea1 MulDiv 4851->4853 4854 402e5b wsprintfA SetWindowTextA SetDlgItemTextA 4853->4854 4854->4852 4870 402429 4871 402430 4870->4871 4872 40245b 4870->4872 4873 402c79 17 API calls 4871->4873 4874 402c39 17 API calls 4872->4874 4875 402437 4873->4875 4876 402462 4874->4876 4878 402c39 17 API calls 4875->4878 4879 40246f 4875->4879 4881 402cf7 4876->4881 4880 402448 RegDeleteValueA RegCloseKey 4878->4880 4880->4879 4882 402d03 4881->4882 4883 402d0a 4881->4883 4882->4879 4883->4882 4885 402d3b 4883->4885 4886 40620e RegOpenKeyExA 4885->4886 4887 402d69 4886->4887 4888 402d79 RegEnumValueA 4887->4888 4889 402d9c 4887->4889 4896 402e13 4887->4896 4888->4889 4890 402e03 RegCloseKey 4888->4890 4889->4890 4891 402dd8 RegEnumKeyA 4889->4891 4892 402de1 RegCloseKey 4889->4892 4895 402d3b 6 API calls 4889->4895 4890->4896 4891->4889 4891->4892 4893 406794 5 API calls 4892->4893 4894 402df1 4893->4894 4894->4896 4897 402df5 RegDeleteKeyA 4894->4897 4895->4889 4896->4882 4897->4896 4898 4027aa 4899 402c39 17 API calls 4898->4899 4900 4027b1 FindFirstFileA 4899->4900 4901 4027d4 4900->4901 4902 4027c4 4900->4902 4903 4027db 4901->4903 4906 4062e6 wsprintfA 4901->4906 4907 406388 lstrcpynA 4903->4907 4906->4903 4907->4902 4908 403b2c 4909 403b37 4908->4909 4910 403b3b 4909->4910 4911 403b3e GlobalAlloc 4909->4911 4911->4910 4912 401c2e 4913 402c17 17 API calls 4912->4913 4914 401c35 4913->4914 4915 402c17 17 API calls 4914->4915 4916 401c42 4915->4916 4917 402c39 17 API calls 4916->4917 4918 401c57 4916->4918 4917->4918 4919 401c67 4918->4919 4920 402c39 17 API calls 4918->4920 4921 401c72 4919->4921 4922 401cbe 4919->4922 4920->4919 4924 402c17 17 API calls 4921->4924 4923 402c39 17 API calls 4922->4923 4925 401cc3 4923->4925 4926 401c77 4924->4926 4927 402c39 17 API calls 4925->4927 4928 402c17 17 API calls 4926->4928 4929 401ccc FindWindowExA 4927->4929 4930 401c83 4928->4930 4933 401cea 4929->4933 4931 401c90 SendMessageTimeoutA 4930->4931 4932 401cae SendMessageA 4930->4932 4931->4933 4932->4933 4934 40262e 4935 402633 4934->4935 4936 402647 4934->4936 4937 402c17 17 API calls 4935->4937 4938 402c39 17 API calls 4936->4938 4940 40263c 4937->4940 4939 40264e lstrlenA 4938->4939 4939->4940 4941 402670 4940->4941 4942 405fc2 WriteFile 4940->4942 4942->4941 3817 401932 3818 401934 3817->3818 3819 402c39 17 API calls 3818->3819 3820 401939 3819->3820 3823 405b4a 3820->3823 3824 405e08 18 API calls 3823->3824 3825 405b6a 3824->3825 3826 405b72 DeleteFileA 3825->3826 3827 405b89 3825->3827 3856 401942 3826->3856 3828 405cb7 3827->3828 3860 406388 lstrcpynA 3827->3860 3833 4066ff 2 API calls 3828->3833 3828->3856 3830 405baf 3831 405bc2 3830->3831 3832 405bb5 lstrcatA 3830->3832 3835 405d61 2 API calls 3831->3835 3834 405bc8 3832->3834 3836 405cdb 3833->3836 3837 405bd6 lstrcatA 3834->3837 3838 405be1 lstrlenA FindFirstFileA 3834->3838 3835->3834 3839 405d1a 3 API calls 3836->3839 3836->3856 3837->3838 3838->3828 3847 405c05 3838->3847 3841 405ce5 3839->3841 3840 405d45 CharNextA 3840->3847 3842 405b02 5 API calls 3841->3842 3843 405cf1 3842->3843 3844 405cf5 3843->3844 3845 405d0b 3843->3845 3851 4054a9 24 API calls 3844->3851 3844->3856 3846 4054a9 24 API calls 3845->3846 3846->3856 3847->3840 3848 405c96 FindNextFileA 3847->3848 3855 405b4a 60 API calls 3847->3855 3857 4054a9 24 API calls 3847->3857 3858 4054a9 24 API calls 3847->3858 3859 406161 36 API calls 3847->3859 3861 406388 lstrcpynA 3847->3861 3862 405b02 3847->3862 3848->3847 3850 405cae FindClose 3848->3850 3850->3828 3852 405d02 3851->3852 3853 406161 36 API calls 3852->3853 3853->3856 3855->3847 3857->3848 3858->3847 3859->3847 3860->3830 3861->3847 3870 405ef6 GetFileAttributesA 3862->3870 3865 405b2f 3865->3847 3866 405b25 DeleteFileA 3868 405b2b 3866->3868 3867 405b1d RemoveDirectoryA 3867->3868 3868->3865 3869 405b3b SetFileAttributesA 3868->3869 3869->3865 3871 405b0e 3870->3871 3872 405f08 SetFileAttributesA 3870->3872 3871->3865 3871->3866 3871->3867 3872->3871 4943 402733 4944 40273a 4943->4944 4946 402a47 4943->4946 4945 402c17 17 API calls 4944->4945 4947 402741 4945->4947 4948 402750 SetFilePointer 4947->4948 4948->4946 4949 402760 4948->4949 4951 4062e6 wsprintfA 4949->4951 4951->4946 4952 401e35 GetDC 4953 402c17 17 API calls 4952->4953 4954 401e47 GetDeviceCaps MulDiv ReleaseDC 4953->4954 4955 402c17 17 API calls 4954->4955 4956 401e78 4955->4956 4957 40641b 17 API calls 4956->4957 4958 401eb5 CreateFontIndirectA 4957->4958 4959 402628 4958->4959 4960 4014b7 4961 4014bd 4960->4961 4962 401389 2 API calls 4961->4962 4963 4014c5 4962->4963 3935 4015bb 3936 402c39 17 API calls 3935->3936 3937 4015c2 3936->3937 3938 405db3 4 API calls 3937->3938 3948 4015ca 3938->3948 3939 401624 3941 401652 3939->3941 3942 401629 3939->3942 3940 405d45 CharNextA 3940->3948 3944 401423 24 API calls 3941->3944 3943 401423 24 API calls 3942->3943 3945 401630 3943->3945 3951 40164a 3944->3951 3955 406388 lstrcpynA 3945->3955 3946 4059ec 2 API calls 3946->3948 3948->3939 3948->3940 3948->3946 3949 405a09 5 API calls 3948->3949 3952 40160c GetFileAttributesA 3948->3952 3954 4015f3 3948->3954 3949->3948 3950 40163b SetCurrentDirectoryA 3950->3951 3952->3948 3953 40596f 4 API calls 3953->3954 3954->3948 3954->3953 3955->3950 4964 40453b lstrcpynA lstrlenA 4965 4016bb 4966 402c39 17 API calls 4965->4966 4967 4016c1 GetFullPathNameA 4966->4967 4968 4016d8 4967->4968 4974 4016f9 4967->4974 4971 4066ff 2 API calls 4968->4971 4968->4974 4969 402ac5 4970 40170d GetShortPathNameA 4970->4969 4972 4016e9 4971->4972 4972->4974 4975 406388 lstrcpynA 4972->4975 4974->4969 4974->4970 4975->4974

                                                                Executed Functions

                                                                Function 004034CC Relevance: 94.9, APIs: 34, Strings: 20, Instructions: 417stringfilecomCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 4034cc-40351c SetErrorMode GetVersionExA 1 40355d 0->1 2 40351e-403538 GetVersionExA 0->2 3 403564 1->3 2->3 4 40353a-403559 2->4 5 403566-403571 3->5 6 403588-40358f 3->6 4->1 7 403573-403582 5->7 8 403584 5->8 9 403591 6->9 10 403599-4035d9 6->10 7->6 8->6 9->10 11 4035db-4035e3 call 406794 10->11 12 4035ec 10->12 11->12 18 4035e5 11->18 14 4035f1-403605 call 406726 lstrlenA 12->14 19 403607-403623 call 406794 * 3 14->19 18->12 26 403634-403694 #17 OleInitialize SHGetFileInfoA call 406388 GetCommandLineA call 406388 19->26 27 403625-40362b 19->27 34 403696-40369a 26->34 35 40369f-4036b2 call 405d45 CharNextA 26->35 27->26 32 40362d 27->32 32->26 34->35 38 403773-403777 35->38 39 4036b7-4036ba 38->39 40 40377d 38->40 41 4036c2-4036c9 39->41 42 4036bc-4036c0 39->42 43 403791-4037ab GetTempPathA call 40349b 40->43 44 4036d0-4036d3 41->44 45 4036cb-4036cc 41->45 42->41 42->42 53 403803-40381b DeleteFileA call 402f5c 43->53 54 4037ad-4037cb GetWindowsDirectoryA lstrcatA call 40349b 43->54 47 403764-403770 call 405d45 44->47 48 4036d9-4036dd 44->48 45->44 47->38 66 403772 47->66 51 4036f5-403722 48->51 52 4036df-4036e5 48->52 55 403734-403762 51->55 56 403724-40372a 51->56 60 4036e7-4036e9 52->60 61 4036eb 52->61 69 403821-403827 53->69 70 4038ae-4038bf ExitProcess OleUninitialize 53->70 54->53 68 4037cd-4037fd GetTempPathA lstrcatA SetEnvironmentVariableA * 2 call 40349b 54->68 55->47 65 40377f-40378c call 406388 55->65 62 403730 56->62 63 40372c-40372e 56->63 60->51 60->61 61->51 62->55 63->55 63->62 65->43 66->38 68->53 68->70 73 403829-403834 call 405d45 69->73 74 40389f-4038a6 call 403b6e 69->74 75 4038c5-4038d4 call 405a9e ExitProcess 70->75 76 4039e8-4039ee 70->76 91 403836-40385f 73->91 92 40386a-403873 73->92 85 4038ab 74->85 77 4039f0-403a05 GetCurrentProcess OpenProcessToken 76->77 78 403a66-403a6e 76->78 83 403a36-403a44 call 406794 77->83 84 403a07-403a30 LookupPrivilegeValueA AdjustTokenPrivileges 77->84 87 403a70 78->87 88 403a73-403a76 ExitProcess 78->88 99 403a52-403a5d ExitWindowsEx 83->99 100 403a46-403a50 83->100 84->83 85->70 87->88 96 403861-403863 91->96 93 403875-403883 call 405e08 92->93 94 4038da-4038ee call 405a09 lstrcatA 92->94 93->70 107 403885-40389b call 406388 * 2 93->107 105 4038f0-4038f6 lstrcatA 94->105 106 4038fb-403915 lstrcatA lstrcmpiA 94->106 96->92 101 403865-403868 96->101 99->78 104 403a5f-403a61 call 40140b 99->104 100->99 100->104 101->92 101->96 104->78 105->106 106->70 110 403917-40391a 106->110 107->74 112 403923 call 4059ec 110->112 113 40391c-403921 call 40596f 110->113 120 403928-403936 SetCurrentDirectoryA 112->120 113->120 121 403943-40396e call 406388 120->121 122 403938-40393e call 406388 120->122 126 403974-403991 call 40641b DeleteFileA 121->126 122->121 129 4039d1-4039da 126->129 130 403993-4039a3 CopyFileA 126->130 129->126 132 4039dc-4039e3 call 406161 129->132 130->129 131 4039a5-4039c5 call 406161 call 40641b call 405a21 130->131 131->129 141 4039c7-4039ce CloseHandle 131->141 132->70 141->129
                                                                APIs
                                                                • SetErrorMode.KERNEL32(00008001), ref: 004034EF
                                                                • GetVersionExA.KERNEL32(?), ref: 00403518
                                                                • GetVersionExA.KERNEL32(0000009C), ref: 0040352F
                                                                • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004035F8
                                                                • #17.COMCTL32(?,00000007,00000009,0000000B), ref: 00403635
                                                                • OleInitialize.OLE32(00000000), ref: 0040363C
                                                                • SHGetFileInfoA.SHELL32(0041FD10,00000000,?,00000160,00000000,?,00000007,00000009,0000000B), ref: 0040365A
                                                                • GetCommandLineA.KERNEL32(00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 0040366F
                                                                • CharNextA.USER32(00000000,C:\Users\user\AppData\Local\Temp\3D69.exe,00000020,C:\Users\user\AppData\Local\Temp\3D69.exe,00000000,?,00000007,00000009,0000000B), ref: 004036A9
                                                                • GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000007,00000009,0000000B), ref: 004037A2
                                                                • GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004037B3
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037BF
                                                                • GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 004037D3
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037DB
                                                                • SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 004037EC
                                                                • SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004037F4
                                                                • DeleteFileA.KERNEL32(1033,?,00000007,00000009,0000000B), ref: 00403808
                                                                • ExitProcess.KERNEL32(?,?,00000007,00000009,0000000B), ref: 004038AE
                                                                • OleUninitialize.OLE32(?,?,00000007,00000009,0000000B), ref: 004038B3
                                                                • ExitProcess.KERNEL32 ref: 004038D4
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\3D69.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038E7
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A1B0,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\3D69.exe,00000000,?,?,00000007,00000009,0000000B), ref: 004038F6
                                                                • lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,C:\Users\user\AppData\Local\Temp\3D69.exe,00000000,?,?,00000007,00000009,0000000B), ref: 00403901
                                                                • lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp), ref: 0040390D
                                                                • SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403929
                                                                • DeleteFileA.KERNEL32(0041F910,0041F910,?,00425000,?,?,00000007,00000009,0000000B), ref: 00403986
                                                                • CopyFileA.KERNEL32(C:\Users\user\AppData\Local\Temp\3D69.exe,0041F910,00000001), ref: 0040399B
                                                                • CloseHandle.KERNEL32(00000000,0041F910,0041F910,?,0041F910,00000000,?,00000007,00000009,0000000B), ref: 004039C8
                                                                • GetCurrentProcess.KERNEL32(00000028,?,00000007,00000009,0000000B), ref: 004039F6
                                                                • OpenProcessToken.ADVAPI32(00000000), ref: 004039FD
                                                                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403A11
                                                                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403A30
                                                                • ExitWindowsEx.USER32(00000002,80040002), ref: 00403A55
                                                                • ExitProcess.KERNEL32 ref: 00403A76
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Processlstrcat$ExitFile$CurrentDeleteDirectoryEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                • String ID: "$.tmp$1033$A$C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\3D69.exe$C:\Users\user\AppData\Local\Temp\3D69.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Users\user\AppData\Roaming\GamePall\update$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                • API String ID: 2882342585-2658701088
                                                                • Opcode ID: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                • Instruction ID: 1a4863036e4e50ed5e1acae1e6299f6db15da00d6e87979e5214c03ba8a99dba
                                                                • Opcode Fuzzy Hash: d18186efe810cf451430c4e096b9aeccec46dfe8f60ebdd611bfa721823b35b5
                                                                • Instruction Fuzzy Hash: 99E1D270A04354AADB21AF659D49B6F7EB89F86306F0540BFF441B61D2CB7C4A05CB2E
                                                                Function 100010D0 Relevance: 45.7, APIs: 20, Strings: 6, Instructions: 218COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 216 100010d0-100010fa GetVersionExA 217 10001106-1000110c 216->217 218 100010fc-10001101 216->218 219 10001122-10001139 LoadLibraryW 217->219 220 1000110e-10001112 217->220 221 1000135d-10001362 218->221 224 100011a5 219->224 225 1000113b-1000114c GetProcAddress 219->225 222 10001225-10001237 LoadLibraryA 220->222 223 10001118-1000111d 220->223 229 10001332-10001337 222->229 230 1000123d-10001265 GetProcAddress * 3 222->230 226 1000135b-1000135c 223->226 231 100011aa-100011ae 224->231 227 10001195 225->227 228 1000114e-1000115a LocalAlloc 225->228 226->221 233 1000119a-100011a3 FreeLibrary 227->233 232 10001189-1000118c 228->232 229->226 234 10001323-10001326 FreeLibrary 230->234 235 1000126b-1000126d 230->235 236 100011b0-100011b2 231->236 237 100011b7 231->237 240 1000115c-1000116d NtQuerySystemInformation 232->240 241 1000118e-10001193 232->241 233->231 239 1000132c-10001330 234->239 235->234 242 10001273-10001275 235->242 236->226 238 100011ba-100011bf 237->238 243 100011c1-100011ec WideCharToMultiByte lstrcmpiA 238->243 244 1000120d-10001211 238->244 239->229 245 10001339-1000133d 239->245 240->233 246 1000116f-1000117e LocalFree 240->246 241->233 242->234 247 1000127b-10001286 242->247 243->244 248 100011ee-100011f5 243->248 251 10001213-10001215 244->251 252 10001217-10001220 LocalFree 244->252 249 10001359 245->249 250 1000133f-10001343 245->250 246->241 253 10001180-10001187 LocalAlloc 246->253 247->234 258 1000128c-100012a0 247->258 248->252 254 100011f7-1000120a call 1000103f 248->254 249->226 255 10001345-1000134a 250->255 256 1000134c-10001350 250->256 251->238 252->239 253->232 254->244 255->226 256->249 260 10001352-10001357 256->260 263 10001318-1000131a 258->263 260->226 264 100012a2-100012b6 lstrlenA 263->264 265 1000131c-1000131d CloseHandle 263->265 266 100012bd-100012c2 264->266 265->234 267 100012c4-100012ea lstrcpynA lstrcmpiA 266->267 268 100012b8-100012ba 266->268 270 100012ec-100012f3 267->270 271 1000130e-10001315 267->271 268->267 269 100012bc 268->269 269->266 270->265 272 100012f5-1000130b call 1000103f 270->272 271->263 272->271
                                                                APIs
                                                                • GetVersionExA.KERNEL32(?), ref: 100010F2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4110287907.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000008.00000002.4098157876.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4127265171.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4138567398.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_10000000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Version
                                                                • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                                • API String ID: 1889659487-877962304
                                                                • Opcode ID: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                • Instruction ID: 3df706415bff85d1043f51983ae3f68c733976b3404a17f8fb4488dcc6387507
                                                                • Opcode Fuzzy Hash: 65e34132412926b77cd70352a95a1b322544ba155a4a88647b4c9b484df59334
                                                                • Instruction Fuzzy Hash: 19715871900659EFFB11DFA4CC88ADE3BEAEB483C4F250026FA19D2159E6358E49CB50
                                                                Function 00405B4A Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 159filestringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 446 405b4a-405b70 call 405e08 449 405b72-405b84 DeleteFileA 446->449 450 405b89-405b90 446->450 451 405d13-405d17 449->451 452 405b92-405b94 450->452 453 405ba3-405bb3 call 406388 450->453 454 405cc1-405cc6 452->454 455 405b9a-405b9d 452->455 461 405bc2-405bc3 call 405d61 453->461 462 405bb5-405bc0 lstrcatA 453->462 454->451 457 405cc8-405ccb 454->457 455->453 455->454 459 405cd5-405cdd call 4066ff 457->459 460 405ccd-405cd3 457->460 459->451 470 405cdf-405cf3 call 405d1a call 405b02 459->470 460->451 464 405bc8-405bcb 461->464 462->464 467 405bd6-405bdc lstrcatA 464->467 468 405bcd-405bd4 464->468 469 405be1-405bff lstrlenA FindFirstFileA 467->469 468->467 468->469 471 405c05-405c1c call 405d45 469->471 472 405cb7-405cbb 469->472 485 405cf5-405cf8 470->485 486 405d0b-405d0e call 4054a9 470->486 479 405c27-405c2a 471->479 480 405c1e-405c22 471->480 472->454 474 405cbd 472->474 474->454 483 405c2c-405c31 479->483 484 405c3d-405c4b call 406388 479->484 480->479 482 405c24 480->482 482->479 488 405c33-405c35 483->488 489 405c96-405ca8 FindNextFileA 483->489 497 405c62-405c6d call 405b02 484->497 498 405c4d-405c55 484->498 485->460 491 405cfa-405d09 call 4054a9 call 406161 485->491 486->451 488->484 492 405c37-405c3b 488->492 489->471 494 405cae-405cb1 FindClose 489->494 491->451 492->484 492->489 494->472 506 405c8e-405c91 call 4054a9 497->506 507 405c6f-405c72 497->507 498->489 501 405c57-405c60 call 405b4a 498->501 501->489 506->489 508 405c74-405c84 call 4054a9 call 406161 507->508 509 405c86-405c8c 507->509 508->489 509->489
                                                                APIs
                                                                • DeleteFileA.KERNEL32(?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405B73
                                                                • lstrcatA.KERNEL32(00421D58,\*.*,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405BBB
                                                                • lstrcatA.KERNEL32(?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405BDC
                                                                • lstrlenA.KERNEL32(?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405BE2
                                                                • FindFirstFileA.KERNEL32(00421D58,?,?,?,0040A014,?,00421D58,?,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405BF3
                                                                • FindNextFileA.KERNELBASE(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 00405CA0
                                                                • FindClose.KERNEL32(00000000), ref: 00405CB1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                • String ID: C:\Users\user\AppData\Local\Temp\3D69.exe$\*.*
                                                                • API String ID: 2035342205-2236467006
                                                                • Opcode ID: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                • Instruction ID: 9e5d3321e74a3647b1fb2cdcf4bec0a51507e3563529971eb59e862f6dba24c5
                                                                • Opcode Fuzzy Hash: 2ba348f7f603991e7b2998a01f0f2af9ee039e7695cfc72fde993ee98a245b0d
                                                                • Instruction Fuzzy Hash: 2B519130908B04AAEB316B61CC49BAF7AB8DF82755F14813FF851B51D2C73C5982DE69
                                                                Function 00406A88 Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 713 406a88-406a8d 714 406afe-406b1c 713->714 715 406a8f-406abe 713->715 716 4070f4-407109 714->716 717 406ac0-406ac3 715->717 718 406ac5-406ac9 715->718 719 407123-407139 716->719 720 40710b-407121 716->720 721 406ad5-406ad8 717->721 722 406ad1 718->722 723 406acb-406acf 718->723 724 40713c-407143 719->724 720->724 725 406af6-406af9 721->725 726 406ada-406ae3 721->726 722->721 723->721 728 407145-407149 724->728 729 40716a-407176 724->729 727 406ccb-406ce9 725->727 730 406ae5 726->730 731 406ae8-406af4 726->731 732 406d01-406d13 727->732 733 406ceb-406cff 727->733 734 4072f8-407302 728->734 735 40714f-407167 728->735 742 40690c-406915 729->742 730->731 737 406b5e-406b8c 731->737 741 406d16-406d20 732->741 733->741 740 40730e-407321 734->740 735->729 738 406ba8-406bc2 737->738 739 406b8e-406ba6 737->739 743 406bc5-406bcf 738->743 739->743 748 407326-40732a 740->748 746 406d22 741->746 747 406cc3-406cc9 741->747 744 407323 742->744 745 40691b 742->745 750 406bd5 743->750 751 406b46-406b4c 743->751 744->748 752 406922-406926 745->752 753 406a62-406a83 745->753 754 4069c7-4069cb 745->754 755 406a37-406a3b 745->755 756 406e33-406e40 746->756 757 406c9e-406ca2 746->757 747->727 749 406c67-406c71 747->749 758 4072b6-4072c0 749->758 759 406c77-406c99 749->759 771 407292-40729c 750->771 772 406b2b-406b43 750->772 760 406b52-406b58 751->760 761 406bff-406c05 751->761 752->740 768 40692c-406939 752->768 753->716 762 4069d1-4069ea 754->762 763 407277-407281 754->763 769 406a41-406a55 755->769 770 407286-407290 755->770 756->742 767 406e8f-406e9e 756->767 764 406ca8-406cc0 757->764 765 4072aa-4072b4 757->765 758->740 759->756 760->737 773 406c63 760->773 761->773 775 406c07-406c25 761->775 776 4069ed-4069f1 762->776 763->740 764->747 765->740 767->716 768->744 774 40693f-406985 768->774 777 406a58-406a60 769->777 770->740 771->740 772->751 773->749 779 406987-40698b 774->779 780 4069ad-4069af 774->780 781 406c27-406c3b 775->781 782 406c3d-406c4f 775->782 776->754 778 4069f3-4069f9 776->778 777->753 777->755 788 406a23-406a35 778->788 789 4069fb-406a02 778->789 783 406996-4069a4 GlobalAlloc 779->783 784 40698d-406990 GlobalFree 779->784 786 4069b1-4069bb 780->786 787 4069bd-4069c5 780->787 785 406c52-406c5c 781->785 782->785 783->744 790 4069aa 783->790 784->783 785->761 791 406c5e 785->791 786->786 786->787 787->776 788->777 792 406a04-406a07 GlobalFree 789->792 793 406a0d-406a1d GlobalAlloc 789->793 790->780 795 406be4-406bfc 791->795 796 40729e-4072a8 791->796 792->793 793->744 793->788 795->761 796->740
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                • Instruction ID: c2ee61ea0ab5e5811791f69f03c7ffba3fbd093a674906ee4b434ab4c587e2e9
                                                                • Opcode Fuzzy Hash: b420139e1bb7bdc71f93166ff3cf2c8d4b4e2e8bf29b11b667125d81af8f4237
                                                                • Instruction Fuzzy Hash: 0FF18A70D04269CBDF28CF98C8946ADBBB0FF44305F24816ED856BB281D7786A86DF45
                                                                Function 004066FF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(75923410,004225A0,C:\,00405E4B,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 0040670A
                                                                • FindClose.KERNEL32(00000000), ref: 00406716
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Find$CloseFileFirst
                                                                • String ID: C:\
                                                                • API String ID: 2295610775-3404278061
                                                                • Opcode ID: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                • Instruction ID: 083b1303d1f5dd1ba3b50291930e0491dd498af142a60d7bee4daa0eb941c193
                                                                • Opcode Fuzzy Hash: a8a8e6ca181c7703a692eace486e77433675a7c42b8a8fe2eb47bb99df7a0189
                                                                • Instruction Fuzzy Hash: B3D01231515120BBC3405B38AE0C95B7E589F093747618A36F066F22E4DB74CC6286AC
                                                                Function 00403B6E Relevance: 49.2, APIs: 13, Strings: 15, Instructions: 215stringregistryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 142 403b6e-403b86 call 406794 145 403b88-403b98 call 4062e6 142->145 146 403b9a-403bcb call 40626f 142->146 155 403bee-403c17 call 403e33 call 405e08 145->155 150 403be3-403be9 lstrcatA 146->150 151 403bcd-403bde call 40626f 146->151 150->155 151->150 160 403c1d-403c22 155->160 161 403c9e-403ca6 call 405e08 155->161 160->161 162 403c24-403c48 call 40626f 160->162 166 403cb4-403cd9 LoadImageA 161->166 167 403ca8-403caf call 40641b 161->167 162->161 169 403c4a-403c4c 162->169 171 403d5a-403d62 call 40140b 166->171 172 403cdb-403d0b RegisterClassA 166->172 167->166 173 403c5d-403c69 lstrlenA 169->173 174 403c4e-403c5b call 405d45 169->174 185 403d64-403d67 171->185 186 403d6c-403d77 call 403e33 171->186 175 403d11-403d55 SystemParametersInfoA CreateWindowExA 172->175 176 403e29 172->176 180 403c91-403c99 call 405d1a call 406388 173->180 181 403c6b-403c79 lstrcmpiA 173->181 174->173 175->171 179 403e2b-403e32 176->179 180->161 181->180 184 403c7b-403c85 GetFileAttributesA 181->184 188 403c87-403c89 184->188 189 403c8b-403c8c call 405d61 184->189 185->179 195 403e00-403e08 call 40557b 186->195 196 403d7d-403d97 ShowWindow call 406726 186->196 188->180 188->189 189->180 203 403e22-403e24 call 40140b 195->203 204 403e0a-403e10 195->204 201 403da3-403db5 GetClassInfoA 196->201 202 403d99-403d9e call 406726 196->202 207 403db7-403dc7 GetClassInfoA RegisterClassA 201->207 208 403dcd-403dfe DialogBoxParamA call 40140b call 403abe 201->208 202->201 203->176 204->185 209 403e16-403e1d call 40140b 204->209 207->208 208->179 209->185
                                                                APIs
                                                                  • Part of subcall function 00406794: GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                  • Part of subcall function 00406794: GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                • lstrcatA.KERNEL32(1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410,C:\Users\user\AppData\Local\Temp\,?,C:\Users\user\AppData\Local\Temp\3D69.exe,00000009,0000000B), ref: 00403BE9
                                                                • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,?,?,C:\Windows\wininit.ini,00000000,C:\Users\user\AppData\Roaming\GamePall,1033,00420D50,80000001,Control Panel\Desktop\ResourceLocale,00000000,00420D50,00000000,00000002,75923410), ref: 00403C5E
                                                                • lstrcmpiA.KERNEL32(?,.exe), ref: 00403C71
                                                                • GetFileAttributesA.KERNEL32(C:\Windows\wininit.ini,?,C:\Users\user\AppData\Local\Temp\3D69.exe,00000009,0000000B), ref: 00403C7C
                                                                • LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\GamePall), ref: 00403CC5
                                                                  • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                • RegisterClassA.USER32(00423EE0), ref: 00403D02
                                                                • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403D1A
                                                                • CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403D4F
                                                                • ShowWindow.USER32(00000005,00000000,?,C:\Users\user\AppData\Local\Temp\3D69.exe,00000009,0000000B), ref: 00403D85
                                                                • GetClassInfoA.USER32(00000000,RichEdit20A,00423EE0), ref: 00403DB1
                                                                • GetClassInfoA.USER32(00000000,RichEdit,00423EE0), ref: 00403DBE
                                                                • RegisterClassA.USER32(00423EE0), ref: 00403DC7
                                                                • DialogBoxParamA.USER32(?,00000000,00403F0B,00000000), ref: 00403DE6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                • String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\3D69.exe$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$Control Panel\Desktop\ResourceLocale$PB$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb$>B
                                                                • API String ID: 1975747703-4255742866
                                                                • Opcode ID: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                • Instruction ID: 5836c5bb6a6ef8c4ff0aed12ec42ff3eebf2d58129c507535c8ab2622d1094a3
                                                                • Opcode Fuzzy Hash: dbde64bc3a376ab52a9cb3762a64ce6a0c2f330f4a95e62c6433b020d27b21d7
                                                                • Instruction Fuzzy Hash: 4F61D670204200AED620AF65AD45F3B3A7CEB8574AF41453FF951B62E2CB7D9D028B6D
                                                                Function 00402F5C Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 204memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 275 402f5c-402faa GetTickCount GetModuleFileNameA call 405f1b 278 402fb6-402fe4 call 406388 call 405d61 call 406388 GetFileSize 275->278 279 402fac-402fb1 275->279 287 402fea 278->287 288 4030cf-4030dd call 402ebd 278->288 280 4031f6-4031fa 279->280 290 402fef-403006 287->290 295 4030e3-4030e6 288->295 296 4031ae-4031b3 288->296 292 403008 290->292 293 40300a-403013 call 40346e 290->293 292->293 300 403019-403020 293->300 301 40316a-403172 call 402ebd 293->301 298 403112-40315e GlobalAlloc call 4068b9 call 405f4a CreateFileA 295->298 299 4030e8-403100 call 403484 call 40346e 295->299 296->280 326 403160-403165 298->326 327 403174-4031a4 call 403484 call 4031fd 298->327 299->296 321 403106-40310c 299->321 305 403022-403036 call 405ed6 300->305 306 40309c-4030a0 300->306 301->296 311 4030aa-4030b0 305->311 324 403038-40303f 305->324 310 4030a2-4030a9 call 402ebd 306->310 306->311 310->311 317 4030b2-4030bc call 40684b 311->317 318 4030bf-4030c7 311->318 317->318 318->290 325 4030cd 318->325 321->296 321->298 324->311 329 403041-403048 324->329 325->288 326->280 335 4031a9-4031ac 327->335 329->311 331 40304a-403051 329->331 331->311 334 403053-40305a 331->334 334->311 336 40305c-40307c 334->336 335->296 337 4031b5-4031c6 335->337 336->296 338 403082-403086 336->338 339 4031c8 337->339 340 4031ce-4031d3 337->340 341 403088-40308c 338->341 342 40308e-403096 338->342 339->340 343 4031d4-4031da 340->343 341->325 341->342 342->311 344 403098-40309a 342->344 343->343 345 4031dc-4031f4 call 405ed6 343->345 344->311 345->280
                                                                APIs
                                                                • GetTickCount.KERNEL32 ref: 00402F70
                                                                • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\3D69.exe,00000400), ref: 00402F8C
                                                                  • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00405F1F
                                                                  • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                • GetFileSize.KERNEL32(00000000,00000000,0042C000,00000000,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\3D69.exe,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00402FD5
                                                                • GlobalAlloc.KERNEL32(00000040,00000009), ref: 00403117
                                                                Strings
                                                                • Null, xrefs: 00403053
                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00402F66, 0040312F
                                                                • C:\Users\user\AppData\Local\Temp\3D69.exe, xrefs: 00402F76, 00402F85, 00402F99, 00402FB6
                                                                • C:\Users\user\AppData\Local\Temp, xrefs: 00402FB7, 00402FBC, 00402FC2
                                                                • soft, xrefs: 0040304A
                                                                • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 004031AE
                                                                • C:\Users\user\AppData\Local\Temp\3D69.exe, xrefs: 00402F65
                                                                • Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403160
                                                                • Error launching installer, xrefs: 00402FAC
                                                                • Inst, xrefs: 00403041
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                • String ID: C:\Users\user\AppData\Local\Temp$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\3D69.exe$C:\Users\user\AppData\Local\Temp\3D69.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
                                                                • API String ID: 2803837635-1605285268
                                                                • Opcode ID: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                • Instruction ID: 8a05da1d373fd2b3e089436e62a275652004ed3b6aa6cfe031be989f12afac8e
                                                                • Opcode Fuzzy Hash: 948897f0a7bf445ed3fd87f3f97ca94f99971360adfd1b44ac20b9f0a6b79c08
                                                                • Instruction Fuzzy Hash: 0771E231A01218ABDB20EF65DD85B9E7BACEB44356F10813BF910BA2C1D77C9E458B5C
                                                                Function 00405FF1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 129memorystringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 348 405ff1-406015 349 406017-40602f call 405f1b CloseHandle GetShortPathNameA 348->349 350 40603d-40604c GetShortPathNameA 348->350 353 40615c-406160 349->353 357 406035-406037 349->357 352 406052-406054 350->352 350->353 352->353 355 40605a-406098 wsprintfA call 40641b call 405f1b 352->355 355->353 361 40609e-4060ba GetFileSize GlobalAlloc 355->361 357->350 357->353 362 4060c0-4060ca call 405f93 361->362 363 406155-406156 CloseHandle 361->363 362->363 366 4060d0-4060dd call 405e80 362->366 363->353 369 4060f3-406105 call 405e80 366->369 370 4060df-4060f1 lstrcpyA 366->370 376 406124 369->376 377 406107-40610d 369->377 371 406128 370->371 373 40612a-40614f call 405ed6 SetFilePointer call 405fc2 GlobalFree 371->373 373->363 376->371 378 406115-406117 377->378 380 406119-406122 378->380 381 40610f-406114 378->381 380->373 381->378
                                                                APIs
                                                                • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                • GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                  • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                  • Part of subcall function 00405E80: lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                • GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                • wsprintfA.USER32 ref: 00406066
                                                                • GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                • SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                • GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406156
                                                                  • Part of subcall function 00405F1B: GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00405F1F
                                                                  • Part of subcall function 00405F1B: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                • String ID: %s=%s$C:\Windows\wininit.ini$NUL$NUL=C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\$[Rename]
                                                                • API String ID: 2171350718-1791448715
                                                                • Opcode ID: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                • Instruction ID: 7566a5a9e9d08134d14435fb5d3e1561ad96112206bac95af022f508aac3f812
                                                                • Opcode Fuzzy Hash: 2ac8773abaa14c2605e43abf0f292608002e21a2c197761b550c40717a00d302
                                                                • Instruction Fuzzy Hash: 68310531200715BBC2207B659D49F6B3A5DDF85754F15003EFE42BA2C3EA7CD8228AAD
                                                                Function 0040641B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 198stringCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 384 40641b-406426 385 406428-406437 384->385 386 406439-40644f 384->386 385->386 387 406643-406647 386->387 388 406455-406460 386->388 390 406472-40647c 387->390 391 40664d-406657 387->391 388->387 389 406466-40646d 388->389 389->387 390->391 392 406482-406489 390->392 393 406662-406663 391->393 394 406659-40665d call 406388 391->394 395 406636 392->395 396 40648f-4064c3 392->396 394->393 398 406640-406642 395->398 399 406638-40663e 395->399 400 4065e3-4065e6 396->400 401 4064c9-4064d3 396->401 398->387 399->387 404 406616-406619 400->404 405 4065e8-4065eb 400->405 402 4064f0 401->402 403 4064d5-4064de 401->403 411 4064f7-4064fe 402->411 403->402 408 4064e0-4064e3 403->408 406 406627-406634 lstrlenA 404->406 407 40661b-406622 call 40641b 404->407 409 4065fb-406607 call 406388 405->409 410 4065ed-4065f9 call 4062e6 405->410 406->387 407->406 408->402 413 4064e5-4064e8 408->413 422 40660c-406612 409->422 410->422 415 406500-406502 411->415 416 406503-406505 411->416 413->402 418 4064ea-4064ee 413->418 415->416 420 406507-40652a call 40626f 416->420 421 40653e-406541 416->421 418->411 432 406530-406539 call 40641b 420->432 433 4065ca-4065ce 420->433 425 406551-406554 421->425 426 406543-40654f GetSystemDirectoryA 421->426 422->406 424 406614 422->424 428 4065db-4065e1 call 406666 424->428 430 4065c1-4065c3 425->430 431 406556-406564 GetWindowsDirectoryA 425->431 429 4065c5-4065c8 426->429 428->406 429->428 429->433 430->429 434 406566-406570 430->434 431->430 432->429 433->428 437 4065d0-4065d6 lstrcatA 433->437 439 406572-406575 434->439 440 40658a-4065a0 SHGetSpecialFolderLocation 434->440 437->428 439->440 442 406577-40657e 439->442 443 4065a2-4065bc SHGetPathFromIDListA CoTaskMemFree 440->443 444 4065be 440->444 445 406586-406588 442->445 443->429 443->444 444->430 445->429 445->440
                                                                APIs
                                                                • GetSystemDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400), ref: 00406549
                                                                • GetWindowsDirectoryA.KERNEL32(C:\Windows\wininit.ini,00000400,?,00420530,00000000,004054E1,00420530,00000000), ref: 0040655C
                                                                • SHGetSpecialFolderLocation.SHELL32(004054E1,00000000,?,00420530,00000000,004054E1,00420530,00000000), ref: 00406598
                                                                • SHGetPathFromIDListA.SHELL32(00000000,C:\Windows\wininit.ini), ref: 004065A6
                                                                • CoTaskMemFree.OLE32(00000000), ref: 004065B2
                                                                • lstrcatA.KERNEL32(C:\Windows\wininit.ini,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D6
                                                                • lstrlenA.KERNEL32(C:\Windows\wininit.ini,?,00420530,00000000,004054E1,00420530,00000000,00000000,00000000,00000000), ref: 00406628
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                • String ID: C:\Windows\wininit.ini$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                • API String ID: 717251189-1428620962
                                                                • Opcode ID: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                • Instruction ID: f38e20b3a3e0c1a2470d5ac0c6d90f06be75126661b475aa23e0086d5b044b98
                                                                • Opcode Fuzzy Hash: 28fe3fa0c873c230fa859cbc890347587b683f5d94c1146f2a959db860f2b1f6
                                                                • Instruction Fuzzy Hash: 9F612370900114AEDF205F24EC90BBA3BA4EB52314F52403FE913B62D1D37D8A62DB4E
                                                                Function 00401759 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147stringtimeCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 00401798
                                                                • CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Local\Temp\setup.exe,00000000,00000000,C:\Users\user\AppData\Local\Temp\setup.exe,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,00000031), ref: 004017C2
                                                                  • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                  • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                  • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                • String ID: C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\INetC.dll$C:\Users\user\AppData\Local\Temp\setup.exe$C:\Users\user\AppData\Roaming\GamePall\update
                                                                • API String ID: 1941528284-3315452645
                                                                • Opcode ID: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                • Instruction ID: 0d76be79c55a0237b493b10f9ec5be6125ba7ce9be49b25e4c886387d44134cc
                                                                • Opcode Fuzzy Hash: 531cf43c35c58c4dd4a4f90f95c8ebf7c3fa560a9c590302947909e1ab3ecca7
                                                                • Instruction Fuzzy Hash: E141B731900615BBCB107BB5CC45DAF3668EF45329B61833BF422F10E1D67C8A529AAE
                                                                Function 00406726 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 582 406726-406746 GetSystemDirectoryA 583 406748 582->583 584 40674a-40674c 582->584 583->584 585 40675c-40675e 584->585 586 40674e-406756 584->586 588 40675f-406791 wsprintfA LoadLibraryExA 585->588 586->585 587 406758-40675a 586->587 587->588
                                                                APIs
                                                                • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                • wsprintfA.USER32 ref: 00406776
                                                                • LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                • String ID: %s%s.dll$UXTHEME$\
                                                                • API String ID: 2200240437-4240819195
                                                                • Opcode ID: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                • Instruction ID: 0c3db372634d2cfba6f48721b0c795b31ebca02323a8b7d7371d162bf0ec7b9a
                                                                • Opcode Fuzzy Hash: dd037f00298a2975fe7e642a10d0852ddcb34bcb2038a79f7270f2bd0b83f80d
                                                                • Instruction Fuzzy Hash: FBF0FC7050021966DB15A764DD0DFEA365CAB08309F1404BEA586E20C1D6B8D5258B69
                                                                Function 004068D9 Relevance: 7.7, APIs: 4, Strings: 1, Instructions: 198COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 589 4068d9-4068fc 590 406906-406909 589->590 591 4068fe-406901 589->591 593 40690c-406915 590->593 592 407326-40732a 591->592 594 407323 593->594 595 40691b 593->595 594->592 596 406922-406926 595->596 597 406a62-407109 595->597 598 4069c7-4069cb 595->598 599 406a37-406a3b 595->599 603 40692c-406939 596->603 604 40730e-407321 596->604 608 407123-407139 597->608 609 40710b-407121 597->609 601 4069d1-4069ea 598->601 602 407277-407281 598->602 605 406a41-406a55 599->605 606 407286-407290 599->606 607 4069ed-4069f1 601->607 602->604 603->594 610 40693f-406985 603->610 604->592 611 406a58-406a60 605->611 606->604 607->598 613 4069f3-4069f9 607->613 612 40713c-407143 608->612 609->612 614 406987-40698b 610->614 615 4069ad-4069af 610->615 611->597 611->599 620 407145-407149 612->620 621 40716a-407176 612->621 618 406a23-406a35 613->618 619 4069fb-406a02 613->619 622 406996-4069a4 GlobalAlloc 614->622 623 40698d-406990 GlobalFree 614->623 616 4069b1-4069bb 615->616 617 4069bd-4069c5 615->617 616->616 616->617 617->607 618->611 625 406a04-406a07 GlobalFree 619->625 626 406a0d-406a1d GlobalAlloc 619->626 627 4072f8-407302 620->627 628 40714f-407167 620->628 621->593 622->594 624 4069aa 622->624 623->622 624->615 625->626 626->594 626->618 627->604 628->621
                                                                Strings
                                                                • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 004068E3
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                • API String ID: 0-292220189
                                                                • Opcode ID: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                • Instruction ID: 8182d74baebb800b0d472bca2432a1a472ea96a2662ae7b36db949844af6c4d7
                                                                • Opcode Fuzzy Hash: 9b20245c0637e97ad79b0c04fd837c43a33b4178456ec09291c35722496dfe88
                                                                • Instruction Fuzzy Hash: DF815971E04228DBEF24CFA8C844BADBBB1FF44305F10816AD956BB281C7786986DF45
                                                                Function 00403305 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 630 403305-40332d GetTickCount 631 403333-40335e call 403484 SetFilePointer 630->631 632 40345d-403465 call 402ebd 630->632 638 403363-403375 631->638 637 403467-40346b 632->637 639 403377 638->639 640 403379-403387 call 40346e 638->640 639->640 643 40338d-403399 640->643 644 40344f-403452 640->644 645 40339f-4033a5 643->645 644->637 646 4033d0-4033ec call 4068d9 645->646 647 4033a7-4033ad 645->647 653 403458 646->653 654 4033ee-4033f6 646->654 647->646 648 4033af-4033cf call 402ebd 647->648 648->646 655 40345a-40345b 653->655 656 4033f8-403400 call 405fc2 654->656 657 403419-40341f 654->657 655->637 661 403405-403407 656->661 657->653 659 403421-403423 657->659 659->653 660 403425-403438 659->660 660->638 662 40343e-40344d SetFilePointer 660->662 663 403454-403456 661->663 664 403409-403415 661->664 662->632 663->655 664->645 665 403417 664->665 665->660
                                                                APIs
                                                                • GetTickCount.KERNEL32 ref: 00403319
                                                                  • Part of subcall function 00403484: SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                • SetFilePointer.KERNEL32(00000000,00000000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 0040334C
                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004,00000000,00000000,0000000B,?,004031A9,000000FF,00000000), ref: 00403447
                                                                Strings
                                                                • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403379, 0040337F
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FilePointer$CountTick
                                                                • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                • API String ID: 1092082344-292220189
                                                                • Opcode ID: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                • Instruction ID: 5f41a1ef9683aad456499e8308d87ccfcfa217f8aa92108fcff4f05b83e24891
                                                                • Opcode Fuzzy Hash: f3fd145fe371a3aefb2ec72eaaf4336e3a5ddfe71b6918c4f9f269c5704fa6fa
                                                                • Instruction Fuzzy Hash: 1F319F72A002059FC711BF2AFE849663BACE741356710C13BE814B62F0CB3859458FAD
                                                                Function 00405F4A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 33COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 666 405f4a-405f54 667 405f55-405f80 GetTickCount GetTempFileNameA 666->667 668 405f82-405f84 667->668 669 405f8f-405f91 667->669 668->667 671 405f86 668->671 670 405f89-405f8c 669->670 671->670
                                                                APIs
                                                                • GetTickCount.KERNEL32 ref: 00405F5E
                                                                • GetTempFileNameA.KERNEL32(0000000B,?,00000000,?,?,004034CA,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007), ref: 00405F78
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CountFileNameTempTick
                                                                • String ID: C:\Users\user\AppData\Local\Temp\$nsa
                                                                • API String ID: 1716503409-44229769
                                                                • Opcode ID: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                • Instruction ID: 05c77450f8afc2c62a5a11a921c51d956a1ea51751b09822177720344b0c8500
                                                                • Opcode Fuzzy Hash: 6f67c72f8a62f6904c1c8d13d4c39cdc389fdf02a571d79ef00f96109094c4c4
                                                                • Instruction Fuzzy Hash: 02F082363042087BDB109F55DD44BAB7B9CDF91750F14C03BFE48DA180D6B4D9988798
                                                                Function 004020A5 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 672 4020a5-4020b1 673 4020b7-4020cd call 402c39 * 2 672->673 674 40216c-40216e 672->674 684 4020dc-4020ea LoadLibraryExA 673->684 685 4020cf-4020da GetModuleHandleA 673->685 676 4022e5-4022ea call 401423 674->676 681 402ac5-402ad4 676->681 687 4020ec-4020f9 GetProcAddress 684->687 688 402165-402167 684->688 685->684 685->687 689 402138-40213d call 4054a9 687->689 690 4020fb-402101 687->690 688->676 694 402142-402145 689->694 692 402103-40210f call 401423 690->692 693 40211a-402136 690->693 692->694 703 402111-402118 692->703 693->694 694->681 697 40214b-402153 call 403b0e 694->697 697->681 702 402159-402160 FreeLibrary 697->702 702->681 703->694
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 004020D0
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                  • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                  • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                • LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004020E0
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004020F0
                                                                • FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040215A
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
                                                                • String ID:
                                                                • API String ID: 2987980305-0
                                                                • Opcode ID: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                • Instruction ID: efc1da79dccaef9ffb2761d2644f5cd4432d5c2edc08e83b6cf0327c91c21bf2
                                                                • Opcode Fuzzy Hash: 55027bfb1e7038bef75906a0c7732c3b75841ebb17574d5b7e2f6ee6ad6aef08
                                                                • Instruction Fuzzy Hash: 2B210832904214E7CF207FA58E4DAAE3A60AF44358F60413FF601B61E0DBBD49819A6E
                                                                Function 00403A7C Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 704 403a7c-403a8b 705 403a97-403a9f 704->705 706 403a8d-403a90 CloseHandle 704->706 707 403aa1-403aa4 CloseHandle 705->707 708 403aab-403ab7 call 403ad9 call 405b4a 705->708 706->705 707->708 712 403abc-403abd 708->712
                                                                APIs
                                                                • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403A8E
                                                                • CloseHandle.KERNEL32(FFFFFFFF,C:\Users\user\AppData\Local\Temp\,004038B3,?,?,00000007,00000009,0000000B), ref: 00403AA2
                                                                Strings
                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00403A81
                                                                • C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\, xrefs: 00403AB2
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseHandle
                                                                • String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\
                                                                • API String ID: 2962429428-445711526
                                                                • Opcode ID: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                • Instruction ID: f2bf129958ed6937e4157d035670f95a6da1e01cb45a681b65e96f9405f647bf
                                                                • Opcode Fuzzy Hash: 860558c91a71a64e21cfc04441b923a48857e57a960d7bb4a44cdc910ceccc08
                                                                • Instruction Fuzzy Hash: F4E08631640B1896C130EF7CAD4D8853B189B413357204726F1B9F20F0C738A9574EE9
                                                                Function 004031FD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetFilePointer.KERNEL32(00000009,00000000,00000000,00000000,00000000,0000000B,?,004031A9,000000FF,00000000,00000000,00000009,?), ref: 00403222
                                                                Strings
                                                                • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00403277, 0040328E, 004032A4
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FilePointer
                                                                • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                • API String ID: 973152223-292220189
                                                                • Opcode ID: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                • Instruction ID: 301e065564a74905a78554ad982773151ad037ba2d6e6f8d8cd401a7b941de18
                                                                • Opcode Fuzzy Hash: 966fed337372371c4087f3b005d0b036fc883b56c67f04ec2e368497ceacb8e7
                                                                • Instruction Fuzzy Hash: E2318D30200219FFDB109F95ED45A9A3FA8EB05755B20847EB914E61D0D738DB509FA9
                                                                Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405DC1
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                • GetFileAttributesA.KERNEL32(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D
                                                                  • Part of subcall function 0040596F: CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                • SetCurrentDirectoryA.KERNEL32(00000000,C:\Users\user\AppData\Roaming\GamePall\update,00000000,00000000,000000F0), ref: 0040163C
                                                                Strings
                                                                • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00401631
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                • API String ID: 1892508949-2725132131
                                                                • Opcode ID: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                • Instruction ID: f3b3600b6319d637c5497ea1020ed17c5aedac6227b62b2eaa768bc98e31f113
                                                                • Opcode Fuzzy Hash: f3ba161a3ac08c4a0fb9ad52a50d0308f78dcdedc211e6075dac0401aebdcf48
                                                                • Instruction Fuzzy Hash: 09115731508140EBCF306FA54D405BF23B09E96324B28453FF8D1B22E2DA3D0C42AA3E
                                                                Function 00405E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00406388: lstrcpynA.KERNEL32(0000000B,0000000B,00000400,0040366F,00423F40,NSIS Error,?,00000007,00000009,0000000B), ref: 00406395
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405DC1
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DC6
                                                                  • Part of subcall function 00405DB3: CharNextA.USER32(00000000), ref: 00405DDA
                                                                • lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405E5B
                                                                • GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0), ref: 00405E6B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                • String ID: C:\
                                                                • API String ID: 3248276644-3404278061
                                                                • Opcode ID: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                • Instruction ID: eca821d8ca18e415d707ee210574ba5bb9731226a542ad11e9256983d04766a4
                                                                • Opcode Fuzzy Hash: 9b5a40e36fb6d6325312229f101030c034a2baba4673648e7d7a04b0a2ff685f
                                                                • Instruction Fuzzy Hash: F7F02831105D5116C6223336AD09AAF1644CE9732471A453FFCE1B52D2DB3C8A539CEE
                                                                Function 00406EBD Relevance: 5.2, APIs: 4, Instructions: 236COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                • Instruction ID: 14484b0326c8a5630d33184448731c7578348ec986130544f859662fecd3ad08
                                                                • Opcode Fuzzy Hash: 3294aed7e6278100db64414b9f116292b07b09feaa7d8b5145f731feae0eba26
                                                                • Instruction Fuzzy Hash: 04A12471E04229CBDF28CFA8C844BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                Function 004070BE Relevance: 5.2, APIs: 4, Instructions: 208COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                • Instruction ID: 16a3963220edad981734dfbd86db7ae4535d0e52bcc7a87e0ef86c627c8cfaa4
                                                                • Opcode Fuzzy Hash: 74e067d77b8d7a9b68dd685dca04d3d71c5ee3b4c66787705bfaaaffb075589f
                                                                • Instruction Fuzzy Hash: 2D912370D04268CBDF28CF98C854BADBBB1FF44305F14816AD956BB281C7786986DF45
                                                                Function 00406DD4 Relevance: 5.2, APIs: 4, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                • Instruction ID: e981be8a744509f315cfd76b32476d9c10b76e0a4aa84739a8d113cb33934a41
                                                                • Opcode Fuzzy Hash: 7ffa2499bf387f79f1209cac769e5c71ba3d3f6d53411ba5d370abef73c06fe0
                                                                • Instruction Fuzzy Hash: 37812471E04228CBDF24CFA8C844BADBBB1FF45305F24816AD856BB291C7789986DF45
                                                                Function 00406D27 Relevance: 5.2, APIs: 4, Instructions: 180COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                • Instruction ID: 516ab04208dd2bc2fd7cdea6c41d3130492ff38fa800e35acf718bd73fbf6333
                                                                • Opcode Fuzzy Hash: d628358dfeac25ccb8ac491a47a372453481bb06581bffe716440ea5054c50f9
                                                                • Instruction Fuzzy Hash: A4712271E04228CBDF24CF98C844BADBBB1FF48305F14806AD856BB281C778A986DF45
                                                                Function 00406E45 Relevance: 5.2, APIs: 4, Instructions: 170COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                • Instruction ID: 835baf8de871759411e2c74e4a47f0112f02d54065241c3c7dcda5dc236b3f46
                                                                • Opcode Fuzzy Hash: e8eb04bd933ca205c297744f59a7b7035fe2e59d11d29800bf5f20fbdb1e525a
                                                                • Instruction Fuzzy Hash: 92712571E04228CBEF28CF98C844BADBBB1FF44305F15816AD856BB281C7786996DF45
                                                                Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 168COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                • Instruction ID: ccec74d0ee3a806077926e8984c2e201e8b1f3d886c73ab216be699138b2bca7
                                                                • Opcode Fuzzy Hash: ed70085a56e3aedeea153169e26c1aa9cf9d7e4654945abbe59913f8bdc615b9
                                                                • Instruction Fuzzy Hash: 39715771E04228CBEF28CF98C844BADBBB1FF44305F14806AD956BB281C778A946DF45
                                                                Function 0040247E Relevance: 4.6, APIs: 3, Instructions: 64registrystringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(0040AC20,00000023,00000011,00000002), ref: 004024C9
                                                                • RegSetValueExA.KERNEL32(?,?,?,?,0040AC20,00000000,00000011,00000002), ref: 00402509
                                                                • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseValuelstrlen
                                                                • String ID:
                                                                • API String ID: 2655323295-0
                                                                • Opcode ID: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                • Instruction ID: e1e6ae2a7b536448810537a1ffa9a52b32d6c636ce9630cd27147c6707bb0a71
                                                                • Opcode Fuzzy Hash: ef8eeb58056491ee092ed80bef3546efe310264daaab0f586760f51b4d92765b
                                                                • Instruction Fuzzy Hash: 04116371E04208AFEB10AFA5DE49AAEBA74EB84714F21443BF504F71C1DAB94D409B68
                                                                Function 00402590 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025C2
                                                                • RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 004025D5
                                                                • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Enum$CloseValue
                                                                • String ID:
                                                                • API String ID: 397863658-0
                                                                • Opcode ID: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                • Instruction ID: 33ff3e85e785963e302667c06a3cb1355a7acd8bf142a31c2560ef5bcfc7d759
                                                                • Opcode Fuzzy Hash: 705f8b49631554dcec7b4eb98624595070a3904998d9344154508b49de78e75c
                                                                • Instruction Fuzzy Hash: 2C017571904104FFE7158F54DE88ABF7BACEF81358F20443EF101A61C0DAB44E449679
                                                                Function 00405B02 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00405EF6: GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                  • Part of subcall function 00405EF6: SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                • RemoveDirectoryA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B1D
                                                                • DeleteFileA.KERNEL32(?,?,?,00000000,00405CF1), ref: 00405B25
                                                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B3D
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: File$Attributes$DeleteDirectoryRemove
                                                                • String ID:
                                                                • API String ID: 1655745494-0
                                                                • Opcode ID: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                • Instruction ID: eeb49a2f717892c2e0964ab94aaac89db2a73fdd151ed94c70539e0cf44bba43
                                                                • Opcode Fuzzy Hash: fdbfe47bebcd8a5232fcae5ebebd8a359ed736e28fe734178b51a2620122945d
                                                                • Instruction Fuzzy Hash: 6CE0E531109A9097C62067349908A5B7AF8EF86314F094D3AF9A1F20D0DB38B9468EBD
                                                                Function 00406809 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040682F
                                                                • GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: ObjectSingleWait$CodeExitProcess
                                                                • String ID:
                                                                • API String ID: 2567322000-0
                                                                • Opcode ID: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                • Instruction ID: abee92fc01d0549169be82d64ea8a54f8020188e09ec540bf7ef67874f21f581
                                                                • Opcode Fuzzy Hash: d1ff3f73a38d8d565191ded27fad29c52e1940f561348969c9200a5cb4687b78
                                                                • Instruction Fuzzy Hash: 9DE0D832600118FBDB00AB54DD05E9E7F6EEB44704F114033F601B6190C7B59E21DB98
                                                                Function 00405F93 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 22fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • ReadFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,0040B8F8,00403481,00000009,00000009,00403385,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F), ref: 00405FA7
                                                                Strings
                                                                • o be not permitted or dropped out!Please reconnect and click Retry to resume installation., xrefs: 00405F96
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FileRead
                                                                • String ID: o be not permitted or dropped out!Please reconnect and click Retry to resume installation.
                                                                • API String ID: 2738559852-292220189
                                                                • Opcode ID: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                • Instruction ID: 61a6516da629700e98a59d605e8380186fb5f41ecf47873683bd74a9a2ef61d4
                                                                • Opcode Fuzzy Hash: 416aeb435aa013431afb1a9c1c8b913c8d53da26c76a00aa22b400e2b7bce1d1
                                                                • Instruction Fuzzy Hash: 8BE08C3220161EEBEF119E508C00AEBBB6CEB00360F004433FD25E3140E234E9218BA8
                                                                Function 0040251E Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegQueryValueExA.KERNEL32(00000000,00000000,?,?,?,?), ref: 0040254E
                                                                • RegCloseKey.KERNEL32(?,?,?,0040AC20,00000000,00000011,00000002), ref: 004025ED
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseQueryValue
                                                                • String ID:
                                                                • API String ID: 3356406503-0
                                                                • Opcode ID: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                • Instruction ID: 7c766f3f1fb2abd04e903467a79d83897fdaad9d0bba0580308fe752c8381985
                                                                • Opcode Fuzzy Hash: acecc3e732b5dbd74a9740bd21ea2b495ff764a52a6e8e2361329d984987feff
                                                                • Instruction Fuzzy Hash: 1B11BF71905205EFDB25CF64DA985AE7BB4AF11355F20483FE042B72C0D6B88A85DA1D
                                                                Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                • SendMessageA.USER32(?,00000402,00000000), ref: 004013F4
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend
                                                                • String ID:
                                                                • API String ID: 3850602802-0
                                                                • Opcode ID: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                • Instruction ID: c6e23866af321c238b4b59365f681da1ab702c54c00e726fca3ee5b0521d1f72
                                                                • Opcode Fuzzy Hash: 04d136d289144069680b1fecce7da664cc2fd5e0b622116f853907ec40370e1b
                                                                • Instruction Fuzzy Hash: 5201D131B242109BE7194B38AE04B2A36A8E754315F51813AF851F61F1DB78CC129B4D
                                                                Function 00405A21 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                • CloseHandle.KERNEL32(?), ref: 00405A57
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseCreateHandleProcess
                                                                • String ID:
                                                                • API String ID: 3712363035-0
                                                                • Opcode ID: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                • Instruction ID: 70dcd79ab4e1e9e84cc9ba673cd08f466e07e48f17d85ed3475224309c024e1a
                                                                • Opcode Fuzzy Hash: c3ebc3f9998ac015d8c7df4fd8e4914833f251e822556357c2f70f84276a4d27
                                                                • Instruction Fuzzy Hash: A5E04FB4600209BFEB009B64ED09F7B77ACFB04244F808421BE40F2150D67899658A78
                                                                Function 00406794 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(?,00000000,?,0040360E,0000000B), ref: 004067A6
                                                                • GetProcAddress.KERNEL32(00000000,?), ref: 004067C1
                                                                  • Part of subcall function 00406726: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 0040673D
                                                                  • Part of subcall function 00406726: wsprintfA.USER32 ref: 00406776
                                                                  • Part of subcall function 00406726: LoadLibraryExA.KERNEL32(?,00000000,00000008), ref: 0040678A
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                • String ID:
                                                                • API String ID: 2547128583-0
                                                                • Opcode ID: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                • Instruction ID: 2a593beb9babc16b4b5ae8275dbdfb46ef4ebf17ea7291b62b5d373670c31446
                                                                • Opcode Fuzzy Hash: c54c0e861ed706937e547878721e8d44c7a1bbc080d115c20b20089ef5e69713
                                                                • Instruction Fuzzy Hash: B6E0863260421157D21067705E4897773ACAF94B54302043EF546F3144D7389C76966D
                                                                Function 00405F1B Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesA.KERNEL32(00000003,00402F9F,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00405F1F
                                                                • CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F41
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: File$AttributesCreate
                                                                • String ID:
                                                                • API String ID: 415043291-0
                                                                • Opcode ID: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                • Instruction ID: c1cd633b288b309c16b37b55694bd397a2d2f3fd27c3ea135bedd35eac3c4d3c
                                                                • Opcode Fuzzy Hash: f7726857ad0760fd27b8592a290aaff25a5a689f9fd17e1a71efc27c39f42f7d
                                                                • Instruction Fuzzy Hash: D9D09E31254602AFEF0D8F20DE16F2E7AA2EB84B00F11952CB682944E2DA715819AB19
                                                                Function 00405EF6 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesA.KERNEL32(?,?,00405B0E,?,?,00000000,00405CF1,?,?,?,?), ref: 00405EFB
                                                                • SetFileAttributesA.KERNEL32(?,00000000), ref: 00405F0F
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                • Instruction ID: 2a9487917742c73a52daa6fa2dda6e447083e2efb983b62a69771bacbdb33add
                                                                • Opcode Fuzzy Hash: 7db639ec3fc6e9a5b47d3eb1dfb332e917e8410632ca84ceba79978e33b6a3d0
                                                                • Instruction Fuzzy Hash: E3D0C972504422ABD2102728AE0889BBB55DB94271702CA35FDA5A26F1DB304C569A9C
                                                                Function 004059EC Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryA.KERNEL32(?,00000000,004034BF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004059F2
                                                                • GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 00405A00
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CreateDirectoryErrorLast
                                                                • String ID:
                                                                • API String ID: 1375471231-0
                                                                • Opcode ID: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                • Instruction ID: 42ce2bd36b25b14d2ed8d631edf33fc643f4c4eb5ed9af5e51ab4a49ffb09bba
                                                                • Opcode Fuzzy Hash: 1ac3f182099991a074ef026cd112de1bb624e535cee62a6747cbed0a6cbac083
                                                                • Instruction Fuzzy Hash: 9BC04C303145419AD6505B309F4DB177A54AB50741F51553A638AE01A0DA348465DD2D
                                                                Function 10001426 Relevance: 2.5, APIs: 2, Instructions: 29stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrcpynA.KERNEL32(?,10003024,?,10003020,1000138F,10003020,00000400), ref: 10001454
                                                                • GlobalFree.KERNELBASE(10003020), ref: 10001464
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4110287907.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000008.00000002.4098157876.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4127265171.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4138567398.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_10000000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FreeGloballstrcpyn
                                                                • String ID:
                                                                • API String ID: 1459762280-0
                                                                • Opcode ID: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                • Instruction ID: 61cff6a9ed434c6726c3e265b98623322506fe6e864b2b4fb358a1092e6d6a6c
                                                                • Opcode Fuzzy Hash: d37c7429f21efaa5103ac68eecef2f505b672404a3497301ec3293a1c9b8d6fd
                                                                • Instruction Fuzzy Hash: 8DF0F8312152209FE315DF24CC94B9777E9FB0A385F018429E691C7278D770E804CB22
                                                                Function 0040623C Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegCreateKeyExA.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CEA,00000000,?,?), ref: 00406265
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Create
                                                                • String ID:
                                                                • API String ID: 2289755597-0
                                                                • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                • Instruction ID: 57b18be241489d6c3509c0f1b2cb500900bdd64e2c84313365475615acd8ae2e
                                                                • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                • Instruction Fuzzy Hash: 16E0E672010109BEDF196F50DD0AD7B371DEB04341F01492EF916D4091E6B5A9309734
                                                                Function 00405FC2 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteFile.KERNEL32(00000009,00000000,00000000,00000000,00000000,004114F7,0040B8F8,00403405,0040B8F8,004114F7,o be not permitted or dropped out!Please reconnect and click Retry to resume installation.,00004000,?,00000000,0040322F,00000004), ref: 00405FD6
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FileWrite
                                                                • String ID:
                                                                • API String ID: 3934441357-0
                                                                • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                • Instruction ID: d5187e51ab0d96a1766449b5dbb93cac2cdd9e80b7d20ab2fc0b5d8c8d5322e8
                                                                • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                • Instruction Fuzzy Hash: 4AE0EC3221065BABDF109E659C04EEB7B6CEB05360F004437FA55E3150D675E8219BA4
                                                                Function 0040620E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegOpenKeyExA.KERNEL32(00000000,?,00000000,?,?,00420530,?,?,0040629C,00420530,?,?,?,00000002,C:\Windows\wininit.ini), ref: 00406232
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Open
                                                                • String ID:
                                                                • API String ID: 71445658-0
                                                                • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                • Instruction ID: e678259d492eddc69303d735af6c58fa5eb03465f078c5ba6a1a088e01eebb4c
                                                                • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                • Instruction Fuzzy Hash: 64D0123244020DBBDF116F90ED01FAB3B1DEB18350F014826FE06A80A1D775D530A725
                                                                Function 00406161 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • MoveFileExA.KERNEL32(?,?,00000005(MOVEFILE_REPLACE_EXISTING|MOVEFILE_DELAY_UNTIL_REBOOT)), ref: 0040616B
                                                                  • Part of subcall function 00405FF1: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00406182,?,?), ref: 00406022
                                                                  • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,NUL,00000400), ref: 0040602B
                                                                  • Part of subcall function 00405FF1: GetShortPathNameA.KERNEL32(?,C:\Windows\wininit.ini,00000400), ref: 00406048
                                                                  • Part of subcall function 00405FF1: wsprintfA.USER32 ref: 00406066
                                                                  • Part of subcall function 00405FF1: GetFileSize.KERNEL32(00000000,00000000,C:\Windows\wininit.ini,C0000000,00000004,C:\Windows\wininit.ini,?,?,?,?,?), ref: 004060A1
                                                                  • Part of subcall function 00405FF1: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060B0
                                                                  • Part of subcall function 00405FF1: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E8
                                                                  • Part of subcall function 00405FF1: SetFilePointer.KERNEL32(0040A3F0,00000000,00000000,00000000,00000000,NUL=C:\Users\user\AppData\Local\Temp\nsq35F8.tmp\,00000000,-0000000A,0040A3F0,00000000,[Rename],00000000,00000000,00000000), ref: 0040613E
                                                                  • Part of subcall function 00405FF1: GlobalFree.KERNEL32(00000000), ref: 0040614F
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: File$GlobalNamePathShort$AllocCloseFreeHandleMovePointerSizelstrcpywsprintf
                                                                • String ID:
                                                                • API String ID: 299535525-0
                                                                • Opcode ID: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                • Instruction ID: 0556bd0dd0e376f9d1944fcc72f0db357db156cd0d89a75f2f72d3c973fa690a
                                                                • Opcode Fuzzy Hash: e5ed7b2843c229ea28ef8c1ce415cb2f1f2a9dfc0e88d0e1822b60b3228602b1
                                                                • Instruction Fuzzy Hash: F0D0C731108602FFDB111B10ED0591B7BA5FF90355F11943EF599940B1DB368461DF09
                                                                Function 00403484 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00403182,?), ref: 00403492
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FilePointer
                                                                • String ID:
                                                                • API String ID: 973152223-0
                                                                • Opcode ID: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                • Instruction ID: eadcf480fe67690f272c505b4903882a1233053cb438a9b9796e5ea94341b5dd
                                                                • Opcode Fuzzy Hash: 3686d685932152b10745f2b752acc0f7a7db7aadca6958b8d51083a7e9476777
                                                                • Instruction Fuzzy Hash: 25B09231140200AADA215F409E09F057B21AB94700F208424B244280F086712025EA0D
                                                                Function 00401F7B Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                  • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                  • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                  • Part of subcall function 00405A21: CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00422558,00000009,00000009,0000000B), ref: 00405A4A
                                                                  • Part of subcall function 00405A21: CloseHandle.KERNEL32(?), ref: 00405A57
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FC0
                                                                  • Part of subcall function 00406809: WaitForSingleObject.KERNEL32(?,00000064), ref: 0040681A
                                                                  • Part of subcall function 00406809: GetExitCodeProcess.KERNEL32(?,?), ref: 0040683C
                                                                  • Part of subcall function 004062E6: wsprintfA.USER32 ref: 004062F3
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                • String ID:
                                                                • API String ID: 2972824698-0
                                                                • Opcode ID: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                • Instruction ID: dce1314ccbc215d7d9c334b017be086f7c4cc40ba0f87dfe0d8145fd67a5eb82
                                                                • Opcode Fuzzy Hash: 5a6c6c0fb7ef29f4985f4766a88127bea2ca1a19b834f4a1a12170b8a3b172af
                                                                • Instruction Fuzzy Hash: 2DF0B432A05121DBDB20BFA59EC49EEB2A4DF41318B25463FF502B21D1CB7C4D418A6E

                                                                Non-executed Functions

                                                                Function 004055E7 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,00000403), ref: 00405646
                                                                • GetDlgItem.USER32(?,000003EE), ref: 00405655
                                                                • GetClientRect.USER32(?,?), ref: 00405692
                                                                • GetSystemMetrics.USER32(00000002), ref: 00405699
                                                                • SendMessageA.USER32(?,0000101B,00000000,?), ref: 004056BA
                                                                • SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004056CB
                                                                • SendMessageA.USER32(?,00001001,00000000,?), ref: 004056DE
                                                                • SendMessageA.USER32(?,00001026,00000000,?), ref: 004056EC
                                                                • SendMessageA.USER32(?,00001024,00000000,?), ref: 004056FF
                                                                • ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405721
                                                                • ShowWindow.USER32(?,00000008), ref: 00405735
                                                                • GetDlgItem.USER32(?,000003EC), ref: 00405756
                                                                • SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405766
                                                                • SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040577F
                                                                • SendMessageA.USER32(00000000,00002001,00000000,?), ref: 0040578B
                                                                • GetDlgItem.USER32(?,000003F8), ref: 00405664
                                                                  • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                • GetDlgItem.USER32(?,000003EC), ref: 004057A7
                                                                • CreateThread.KERNEL32(00000000,00000000,Function_0000557B,00000000), ref: 004057B5
                                                                • CloseHandle.KERNEL32(00000000), ref: 004057BC
                                                                • ShowWindow.USER32(00000000), ref: 004057DF
                                                                • ShowWindow.USER32(?,00000008), ref: 004057E6
                                                                • ShowWindow.USER32(00000008), ref: 0040582C
                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00405860
                                                                • CreatePopupMenu.USER32 ref: 00405871
                                                                • AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405886
                                                                • GetWindowRect.USER32(?,000000FF), ref: 004058A6
                                                                • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004058BF
                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 004058FB
                                                                • OpenClipboard.USER32(00000000), ref: 0040590B
                                                                • EmptyClipboard.USER32 ref: 00405911
                                                                • GlobalAlloc.KERNEL32(00000042,?), ref: 0040591A
                                                                • GlobalLock.KERNEL32(00000000), ref: 00405924
                                                                • SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405938
                                                                • GlobalUnlock.KERNEL32(00000000), ref: 00405951
                                                                • SetClipboardData.USER32(00000001,00000000), ref: 0040595C
                                                                • CloseClipboard.USER32 ref: 00405962
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                • String ID: PB
                                                                • API String ID: 590372296-3196168531
                                                                • Opcode ID: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                • Instruction ID: 44a2cb424ceca129f1c721a27905a8e57bc1109532c064cce4e419f7e60c3497
                                                                • Opcode Fuzzy Hash: 463c74343dc9a7e994e8db0b260deb87a45ca3f66d4da0101cb89f9be381629f
                                                                • Instruction Fuzzy Hash: 18A13971900608FFDB11AF64DE85AAE7BB9FB48355F00403AFA41BA1A0CB754E51DF58
                                                                Function 00404897 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003FB), ref: 004048E6
                                                                • SetWindowTextA.USER32(00000000,?), ref: 00404910
                                                                • SHBrowseForFolderA.SHELL32(?,00420128,?), ref: 004049C1
                                                                • CoTaskMemFree.OLE32(00000000), ref: 004049CC
                                                                • lstrcmpiA.KERNEL32(C:\Windows\wininit.ini,00420D50), ref: 004049FE
                                                                • lstrcatA.KERNEL32(?,C:\Windows\wininit.ini), ref: 00404A0A
                                                                • SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404A1C
                                                                  • Part of subcall function 00405A82: GetDlgItemTextA.USER32(?,?,00000400,00404A53), ref: 00405A95
                                                                  • Part of subcall function 00406666: CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                  • Part of subcall function 00406666: CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                  • Part of subcall function 00406666: CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                  • Part of subcall function 00406666: CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                • GetDiskFreeSpaceA.KERNEL32(0041FD20,?,?,0000040F,?,0041FD20,0041FD20,?,00000001,0041FD20,?,?,000003FB,?), ref: 00404ADA
                                                                • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AF5
                                                                  • Part of subcall function 00404C4E: lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                  • Part of subcall function 00404C4E: wsprintfA.USER32 ref: 00404CF4
                                                                  • Part of subcall function 00404C4E: SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                • String ID: A$C:\Users\user\AppData\Roaming\GamePall$C:\Windows\wininit.ini$PB
                                                                • API String ID: 2624150263-292181263
                                                                • Opcode ID: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                • Instruction ID: 03633cdec68ae3b48ba4c7d33c4768738bfb21d85bfcf2e4b9185cba9ee35c0f
                                                                • Opcode Fuzzy Hash: 246729fcc772db5bb1fe110679472811f76dfb67008edee7d622b3e588ee8d40
                                                                • Instruction Fuzzy Hash: 7DA150B1A00208AADB11EFA5DD45BAFB6B8EF84315F10803BF601B62D1D77C99418F6D
                                                                Function 00402173 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CoCreateInstance.OLE32(00408418,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004021F8
                                                                • MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408408,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 004022AA
                                                                Strings
                                                                • C:\Users\user\AppData\Roaming\GamePall\update, xrefs: 00402238
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: ByteCharCreateInstanceMultiWide
                                                                • String ID: C:\Users\user\AppData\Roaming\GamePall\update
                                                                • API String ID: 123533781-2725132131
                                                                • Opcode ID: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                • Instruction ID: 4a55140eb955682c0845ac661669d1effe53c60cfc8a987c49de3bb9103baba8
                                                                • Opcode Fuzzy Hash: 975ab102bccf2e3ea3487b48f3b75e49990d828168e5a332ce340ef805c2210c
                                                                • Instruction Fuzzy Hash: B2513575A00208AFDF10DFE4CA88A9D7BB5EF48314F2045BAF505EB2D1DA799981CB54
                                                                Function 004027AA Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 004027B9
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: FileFindFirst
                                                                • String ID:
                                                                • API String ID: 1974802433-0
                                                                • Opcode ID: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                • Instruction ID: 9767438fe71d1176ff9aac627a01f72906af616df08219c0cc944b63bddc0547
                                                                • Opcode Fuzzy Hash: 3697544f2be0618a58616ff40495ed399055e36512a5e022deae8fba2564a7e1
                                                                • Instruction Fuzzy Hash: CCF0A0726082049AD710EBA49A49AEEB7689F51324F60057BF142F20C1D6B889459B2A
                                                                Function 00404E0A Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 491windowmemoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,000003F9), ref: 00404E21
                                                                • GetDlgItem.USER32(?,00000408), ref: 00404E2E
                                                                • GlobalAlloc.KERNEL32(00000040,?), ref: 00404E7D
                                                                • LoadImageA.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404E94
                                                                • SetWindowLongA.USER32(?,000000FC,0040541D), ref: 00404EAE
                                                                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404EC0
                                                                • ImageList_AddMasked.COMCTL32(00000000,00000110,00FF00FF), ref: 00404ED4
                                                                • SendMessageA.USER32(?,00001109,00000002), ref: 00404EEA
                                                                • SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404EF6
                                                                • SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404F06
                                                                • DeleteObject.GDI32(00000110), ref: 00404F0B
                                                                • SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404F36
                                                                • SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404F42
                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00404FDC
                                                                • SendMessageA.USER32(?,0000110A,00000003,00000110), ref: 0040500C
                                                                  • Part of subcall function 0040443A: SendMessageA.USER32(00000028,?,00000001,0040426A), ref: 00404448
                                                                • SendMessageA.USER32(?,00001100,00000000,?), ref: 00405020
                                                                • GetWindowLongA.USER32(?,000000F0), ref: 0040504E
                                                                • SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040505C
                                                                • ShowWindow.USER32(?,00000005), ref: 0040506C
                                                                • SendMessageA.USER32(?,00000419,00000000,?), ref: 00405167
                                                                • SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004051CC
                                                                • SendMessageA.USER32(?,00000150,00000000,00000000), ref: 004051E1
                                                                • SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00405205
                                                                • SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00405225
                                                                • ImageList_Destroy.COMCTL32(?), ref: 0040523A
                                                                • GlobalFree.KERNEL32(?), ref: 0040524A
                                                                • SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 004052C3
                                                                • SendMessageA.USER32(?,00001102,?,?), ref: 0040536C
                                                                • SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 0040537B
                                                                • InvalidateRect.USER32(?,00000000,00000001), ref: 004053A6
                                                                • ShowWindow.USER32(?,00000000), ref: 004053F4
                                                                • GetDlgItem.USER32(?,000003FE), ref: 004053FF
                                                                • ShowWindow.USER32(00000000), ref: 00405406
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                • String ID: $M$N
                                                                • API String ID: 2564846305-813528018
                                                                • Opcode ID: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                • Instruction ID: c306c4130ea67d8582adb4b0d0e706bf782d7aff15223233fd0d43401108afdf
                                                                • Opcode Fuzzy Hash: 4bb258af210f6716591e45ffd85afba0d9fc7d499c01c39e68e435e5f0500988
                                                                • Instruction Fuzzy Hash: 6C025CB0A00609AFDB209F94DD45AAE7BB5FB84354F10817AF610BA2E1D7789D42CF58
                                                                Function 00403F0B Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403F47
                                                                • ShowWindow.USER32(?), ref: 00403F67
                                                                • GetWindowLongA.USER32(?,000000F0), ref: 00403F79
                                                                • ShowWindow.USER32(?,00000004), ref: 00403F92
                                                                • DestroyWindow.USER32 ref: 00403FA6
                                                                • SetWindowLongA.USER32(?,00000000,00000000), ref: 00403FBF
                                                                • GetDlgItem.USER32(?,?), ref: 00403FDE
                                                                • SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403FF2
                                                                • IsWindowEnabled.USER32(00000000), ref: 00403FF9
                                                                • GetDlgItem.USER32(?,00000001), ref: 004040A4
                                                                • GetDlgItem.USER32(?,00000002), ref: 004040AE
                                                                • SetClassLongA.USER32(?,000000F2,?), ref: 004040C8
                                                                • SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00404119
                                                                • GetDlgItem.USER32(?,00000003), ref: 004041BF
                                                                • ShowWindow.USER32(00000000,?), ref: 004041E0
                                                                • EnableWindow.USER32(?,?), ref: 004041F2
                                                                • EnableWindow.USER32(?,?), ref: 0040420D
                                                                • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404223
                                                                • EnableMenuItem.USER32(00000000), ref: 0040422A
                                                                • SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00404242
                                                                • SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00404255
                                                                • lstrlenA.KERNEL32(00420D50,?,00420D50,00000000), ref: 0040427F
                                                                • SetWindowTextA.USER32(?,00420D50), ref: 0040428E
                                                                • ShowWindow.USER32(?,0000000A), ref: 004043C2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                • String ID: PB
                                                                • API String ID: 1860320154-3196168531
                                                                • Opcode ID: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                • Instruction ID: 6b3c419a8b2de2434844e8cd53afab52d63163afb5b1bd925d395a768d9dd0e6
                                                                • Opcode Fuzzy Hash: a84a76c7c437068317dea6ec38f5a19867a10701d7094664a652b1a8aea3850c
                                                                • Instruction Fuzzy Hash: ECC1D2B1A00204BBCB206F61EE45E2B3A78EB85745F41053EF781B61F1CB3998929B5D
                                                                Function 00404570 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 202windowstringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004045FB
                                                                • GetDlgItem.USER32(00000000,000003E8), ref: 0040460F
                                                                • SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 0040462D
                                                                • GetSysColor.USER32(?), ref: 0040463E
                                                                • SendMessageA.USER32(00000000,00000443,00000000,?), ref: 0040464D
                                                                • SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 0040465C
                                                                • lstrlenA.KERNEL32(?), ref: 0040465F
                                                                • SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040466E
                                                                • SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404683
                                                                • GetDlgItem.USER32(?,0000040A), ref: 004046E5
                                                                • SendMessageA.USER32(00000000), ref: 004046E8
                                                                • GetDlgItem.USER32(?,000003E8), ref: 00404713
                                                                • SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404753
                                                                • LoadCursorA.USER32(00000000,00007F02), ref: 00404762
                                                                • SetCursor.USER32(00000000), ref: 0040476B
                                                                • LoadCursorA.USER32(00000000,00007F00), ref: 00404781
                                                                • SetCursor.USER32(00000000), ref: 00404784
                                                                • SendMessageA.USER32(00000111,00000001,00000000), ref: 004047B0
                                                                • SendMessageA.USER32(00000010,00000000,00000000), ref: 004047C4
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                • String ID: N$6B
                                                                • API String ID: 3103080414-649610290
                                                                • Opcode ID: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                • Instruction ID: 424ea1d81b5f8fd67bb79b8421ee67f108f717641e3cc5fc4ea293435da972af
                                                                • Opcode Fuzzy Hash: c874497606b373bfbb3475a273ba326ab034ae9c38f8566fe8320349c510c150
                                                                • Instruction Fuzzy Hash: CE6190B1A40208BFDB109F61DD45B6A7B69FB84715F10843AFB01BB2D1C7B8A951CF98
                                                                Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
                                                                • BeginPaint.USER32(?,?), ref: 00401047
                                                                • GetClientRect.USER32(?,?), ref: 0040105B
                                                                • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                • DeleteObject.GDI32(?), ref: 004010ED
                                                                • CreateFontIndirectA.GDI32(?), ref: 00401105
                                                                • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                • DrawTextA.USER32(00000000,00423F40,000000FF,00000010,00000820), ref: 00401156
                                                                • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                • DeleteObject.GDI32(?), ref: 00401165
                                                                • EndPaint.USER32(?,?), ref: 0040116E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                • String ID: F
                                                                • API String ID: 941294808-1304234792
                                                                • Opcode ID: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                • Instruction ID: bc851ab26da2bb863bf3a2ee07eb2f950de800ada4cbee7b2d64f78586a04119
                                                                • Opcode Fuzzy Hash: db458c2aac7b07c9de4f1dfd54ee4cc10e0d46da2aaa9c20a0cc65b716daa4c3
                                                                • Instruction Fuzzy Hash: 2C419D71800249AFCF058FA5DE459AF7FB9FF45314F00802AF991AA1A0C734DA55DFA4
                                                                Function 004054A9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73stringwindowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                • lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                • lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                • SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                • SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                • SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                • SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                • String ID: 4/@
                                                                • API String ID: 2531174081-3101945251
                                                                • Opcode ID: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                • Instruction ID: 7ab3267fb946cf8e7efc5916356ec1270af3577e2396c2c3629ce5ef3fcb69de
                                                                • Opcode Fuzzy Hash: 17623ae6e76ffa783ca229a28a88b1e205e4a8d30cb80da27a9000df8195634c
                                                                • Instruction Fuzzy Hash: 0F217A71E00118BBCF119FA5DD8099EBFB9EF09354F04807AF944A6291C7788A90CFA8
                                                                Function 00406666 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharNextA.USER32(0000000B,*?|<>/":,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066BE
                                                                • CharNextA.USER32(0000000B,0000000B,0000000B,00000000,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066CB
                                                                • CharNextA.USER32(0000000B,?,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066D0
                                                                • CharPrevA.USER32(0000000B,0000000B,75923410,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\3D69.exe,004034A7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 004066E0
                                                                Strings
                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00406667
                                                                • C:\Users\user\AppData\Local\Temp\3D69.exe, xrefs: 00406666
                                                                • *?|<>/":, xrefs: 004066AE
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Char$Next$Prev
                                                                • String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\3D69.exe
                                                                • API String ID: 589700163-1666349740
                                                                • Opcode ID: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                • Instruction ID: 80d428334b402c3338f843ea799862c1973996ffb1638880579f4ae0c72fc655
                                                                • Opcode Fuzzy Hash: 6bc0e94b7f234696628355ee2fbbbdde5b7464ab094feb853247d74dffcc646e
                                                                • Instruction Fuzzy Hash: 7E1108518047902DEB3206340C04B7B7F894F977A0F2A087FD8C6722C2D67E5C62967D
                                                                Function 00402EBD Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 51COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • DestroyWindow.USER32(?,00000000), ref: 00402ED5
                                                                • GetTickCount.KERNEL32 ref: 00402EF3
                                                                • wsprintfA.USER32 ref: 00402F21
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000,?), ref: 004054E2
                                                                  • Part of subcall function 004054A9: lstrlenA.KERNEL32(4/@,00420530,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F34,00000000), ref: 004054F2
                                                                  • Part of subcall function 004054A9: lstrcatA.KERNEL32(00420530,00000020,4/@,00420530,00000000,00000000,00000000), ref: 00405505
                                                                  • Part of subcall function 004054A9: SetWindowTextA.USER32(00420530,00420530), ref: 00405517
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040553D
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405557
                                                                  • Part of subcall function 004054A9: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405565
                                                                • CreateDialogParamA.USER32(0000006F,00000000,00402E25,00000000), ref: 00402F45
                                                                • ShowWindow.USER32(00000000,00000005), ref: 00402F53
                                                                  • Part of subcall function 00402EA1: MulDiv.KERNEL32(?,00000064,?), ref: 00402EB6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
                                                                • String ID: ... %d%%$#Vh%.@
                                                                • API String ID: 722711167-1706192003
                                                                • Opcode ID: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                • Instruction ID: ac0ca11ee9366edb0cc6a28cc5aeb329eacd7d00ab00b3c3670f6d564c8935e4
                                                                • Opcode Fuzzy Hash: db62a3d36480f0b73892ce8a9fc69f21d0c49374a29e778f3850d420ffd5c07d
                                                                • Instruction Fuzzy Hash: 3F01A170542225EBCB21BB50EF0CBAB3778EB40744B04443BF505B21D0C7F894469AEE
                                                                Function 0040446C Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetWindowLongA.USER32(?,000000EB), ref: 00404489
                                                                • GetSysColor.USER32(00000000), ref: 004044C7
                                                                • SetTextColor.GDI32(?,00000000), ref: 004044D3
                                                                • SetBkMode.GDI32(?,?), ref: 004044DF
                                                                • GetSysColor.USER32(?), ref: 004044F2
                                                                • SetBkColor.GDI32(?,?), ref: 00404502
                                                                • DeleteObject.GDI32(?), ref: 0040451C
                                                                • CreateBrushIndirect.GDI32(?), ref: 00404526
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                • String ID:
                                                                • API String ID: 2320649405-0
                                                                • Opcode ID: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                • Instruction ID: 76b6fc4927f6120469f5ffa52701fcd3ddd76896e52d32ad6f55637f73cee333
                                                                • Opcode Fuzzy Hash: d8b0c4ae085d5752a0ceb3fd9c96bfdfa4daadee6b5f884e1a531c3ceae13210
                                                                • Instruction Fuzzy Hash: 9E2147B1501704AFCB31DF68ED08B5BBBF8AF41715B04892EEA96A26E0D734E904CB54
                                                                Function 00404D58 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404D73
                                                                • GetMessagePos.USER32 ref: 00404D7B
                                                                • ScreenToClient.USER32(?,?), ref: 00404D95
                                                                • SendMessageA.USER32(?,00001111,00000000,?), ref: 00404DA7
                                                                • SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404DCD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Message$Send$ClientScreen
                                                                • String ID: f
                                                                • API String ID: 41195575-1993550816
                                                                • Opcode ID: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                • Instruction ID: de178be9688f757f82ef56a4cbeb6693d0582b60b2ea90e1a00f6814b48fd044
                                                                • Opcode Fuzzy Hash: fae6ee4ef260730fd0e6baeb46c05ac4d0d99299cd6b7910a3b5b88b2e21feb9
                                                                • Instruction Fuzzy Hash: BB014871900219BADB01DBA4DD85BFEBBF8AF95B11F10016ABA40B61C0C6B499058BA4
                                                                Function 0040596F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CreateDirectoryA.KERNEL32(?,0000000B,C:\Users\user\AppData\Local\Temp\), ref: 004059B2
                                                                • GetLastError.KERNEL32 ref: 004059C6
                                                                • SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004059DB
                                                                • GetLastError.KERNEL32 ref: 004059E5
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                • String ID: !9@$C:\Users\user\AppData\Local\Temp\
                                                                • API String ID: 3449924974-3700438604
                                                                • Opcode ID: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                • Instruction ID: 4cd508ff09270142ca7a6984d66ae253fefa4e1f6983b248f3af4f59f5a14231
                                                                • Opcode Fuzzy Hash: df2ca303ac227c9e0d0fbc5e27afd1aa0bff8a01fb2d8cf1edb312bec269ebc1
                                                                • Instruction Fuzzy Hash: 610108B1D00259DAEF109BA0CA45BEFBBB8EB04354F00403AD645B6290D7789648CF99
                                                                Function 00402E25 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E40
                                                                • wsprintfA.USER32 ref: 00402E74
                                                                • SetWindowTextA.USER32(?,?), ref: 00402E84
                                                                • SetDlgItemTextA.USER32(?,00000406,?), ref: 00402E96
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Text$ItemTimerWindowwsprintf
                                                                • String ID: unpacking data: %d%%$verifying installer: %d%%
                                                                • API String ID: 1451636040-1158693248
                                                                • Opcode ID: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                • Instruction ID: 7ad4584a5e884be7344c254f70e0401137e7e46ce86c3cf658bb2ab9d23be74a
                                                                • Opcode Fuzzy Hash: a45d99d8fe85d32cf27a6b993dcd334edf2177b7a3e8b64a3b444c48cc752336
                                                                • Instruction Fuzzy Hash: 1DF01D7054020DBAEF219F60DE0ABAE3769EB44344F00803AFA16B91D0DBB899558F99
                                                                Function 004027E8 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402849
                                                                • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 00402865
                                                                • GlobalFree.KERNEL32(?), ref: 004028A4
                                                                • GlobalFree.KERNEL32(00000000), ref: 004028B7
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028D3
                                                                • DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004028E6
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                • String ID:
                                                                • API String ID: 2667972263-0
                                                                • Opcode ID: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                • Instruction ID: cd924008ac91bdcd896aacfcc8aadc4f9c7de1b4393fc14a433ce499bdbf1d56
                                                                • Opcode Fuzzy Hash: 89df3cefb7dd421bed2d3b7eed546734cb5ae329452e645b4cc4e6c356db934a
                                                                • Instruction Fuzzy Hash: D931AC32800128ABDF216FA5DE49D9E7A75FF08364F24423AF450B62D0CB7949419F68
                                                                Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00000000,?), ref: 10001054
                                                                • EnumWindows.USER32(10001007,?), ref: 10001074
                                                                • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                                • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                                • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4110287907.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                • Associated: 00000008.00000002.4098157876.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4127265171.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                • Associated: 00000008.00000002.4138567398.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_10000000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                                • String ID:
                                                                • API String ID: 3465249596-0
                                                                • Opcode ID: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                • Instruction ID: 6b4dcd5717a232181223c093e4f4244ae1ce1555a3c8e15b92772d9ea2fb9ae7
                                                                • Opcode Fuzzy Hash: 45a2251c50cfe7217ad4567bb79eedec0e3199e983198285888405aa9b7494a4
                                                                • Instruction Fuzzy Hash: 5211E235A00299EFFB00DFA5CCC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                                Function 00404C4E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(00420D50,00420D50,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,00404B69,000000DF,00000000,00000400,?), ref: 00404CEC
                                                                • wsprintfA.USER32 ref: 00404CF4
                                                                • SetDlgItemTextA.USER32(?,00420D50), ref: 00404D07
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: ItemTextlstrlenwsprintf
                                                                • String ID: %u.%u%s%s$PB
                                                                • API String ID: 3540041739-838025833
                                                                • Opcode ID: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                • Instruction ID: 635705270cf82d3fa6c033b13715314544988666452c3f341a93ad76d23c3d90
                                                                • Opcode Fuzzy Hash: 837710c020be2e613de14c6f4d6baa8c213068046cd931f6ce14c5213cbfad60
                                                                • Instruction Fuzzy Hash: 5F11E77360512837EB00656D9D45EAE3298DB85374F26423BFE26F71D1E978CC1286E8
                                                                Function 00402D3B Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402D8F
                                                                • RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402DDB
                                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DE4
                                                                • RegDeleteKeyA.ADVAPI32(?,?), ref: 00402DFB
                                                                • RegCloseKey.ADVAPI32(?,?,?), ref: 00402E06
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseEnum$DeleteValue
                                                                • String ID:
                                                                • API String ID: 1354259210-0
                                                                • Opcode ID: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                • Instruction ID: 1f7d8097ab2fb743d310579a2b4365e3e31c1a4ec17ce584dda370d325fd3950
                                                                • Opcode Fuzzy Hash: 6a17d2dfc8014f9998472e4bb2df9c50261cd009cc462a72ab7525fe56808e65
                                                                • Instruction Fuzzy Hash: 1D214B7150010CBBDF129F90CE89EEB7B7DEF44344F11007AF955B11A0D7B49EA49AA8
                                                                Function 00401D65 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDlgItem.USER32(?,?), ref: 00401D7E
                                                                • GetClientRect.USER32(?,?), ref: 00401DCC
                                                                • LoadImageA.USER32(?,?,?,?,?,?), ref: 00401DFC
                                                                • SendMessageA.USER32(?,00000172,?,00000000), ref: 00401E10
                                                                • DeleteObject.GDI32(00000000), ref: 00401E20
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                • String ID:
                                                                • API String ID: 1849352358-0
                                                                • Opcode ID: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                • Instruction ID: cb7cd4706ec086029cb46641885d9617bace417a5341e65c45b3777010ef1041
                                                                • Opcode Fuzzy Hash: 593d1372a554d47c5dd87fed6cfd69f5edd78a04abfcab04570fffcca4b878a5
                                                                • Instruction Fuzzy Hash: 35212A72E00109AFDF15DFA4DD85AAEBBB5EB88300F24417EF911F62A0DB389941DB14
                                                                Function 00401E35 Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetDC.USER32(?), ref: 00401E38
                                                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E52
                                                                • MulDiv.KERNEL32(00000000,00000000), ref: 00401E5A
                                                                • ReleaseDC.USER32(?,00000000), ref: 00401E6B
                                                                • CreateFontIndirectA.GDI32(0040B820), ref: 00401EBA
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CapsCreateDeviceFontIndirectRelease
                                                                • String ID:
                                                                • API String ID: 3808545654-0
                                                                • Opcode ID: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                • Instruction ID: bfe7ce59390996d5b2ac71ca67757b7c78ff13e1b53bdd881068f9c0e557254e
                                                                • Opcode Fuzzy Hash: de4b304c9a389d7a08c3fe75b8b690b37b20fc1cb77e4e41693a04eab2cef683
                                                                • Instruction Fuzzy Hash: 66018072504340AEE7007BB0AF8AA9A7FE8E755701F109439F241B61E2CB790449CB6C
                                                                Function 00401C2E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C9E
                                                                • SendMessageA.USER32(00000000,00000000,?,?), ref: 00401CB6
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: MessageSend$Timeout
                                                                • String ID: !
                                                                • API String ID: 1777923405-2657877971
                                                                • Opcode ID: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                • Instruction ID: a12cfbdd51ff26f17676da16b1bc06906883597644a76ef85f46b7bf1251d8d3
                                                                • Opcode Fuzzy Hash: 1399452274c26c04b05c3e26325e61428879637001adb01d26c94ca9c19498ca
                                                                • Instruction Fuzzy Hash: 2A218271948208BEEB059FF5DA8AAAD7FB4EF84304F20447EF101B61D1D7B989819B18
                                                                Function 00405D1A Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D20
                                                                • CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004034B9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004037A9,?,00000007,00000009,0000000B), ref: 00405D29
                                                                • lstrcatA.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405D3A
                                                                Strings
                                                                • C:\Users\user\AppData\Local\Temp\, xrefs: 00405D1A
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharPrevlstrcatlstrlen
                                                                • String ID: C:\Users\user\AppData\Local\Temp\
                                                                • API String ID: 2659869361-823278215
                                                                • Opcode ID: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                • Instruction ID: 6a6775ee8fa4d5d8d60a890cb1840bbff54d6a4bc9e312217f61a2b57c53a4e0
                                                                • Opcode Fuzzy Hash: 78cba1d5cb2474798914f87c9b537ab1510ee16986e2efd06177e80df85e38b2
                                                                • Instruction Fuzzy Hash: 82D0A7625015307AD20167154C09DDF29488F523017094027F501B7191C67C5C1187FD
                                                                Function 00405DB3 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • CharNextA.USER32(?,?,C:\,0000000B,00405E1F,C:\,C:\,75923410,?,75922EE0,00405B6A,?,75923410,75922EE0,C:\Users\user\AppData\Local\Temp\3D69.exe), ref: 00405DC1
                                                                • CharNextA.USER32(00000000), ref: 00405DC6
                                                                • CharNextA.USER32(00000000), ref: 00405DDA
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharNext
                                                                • String ID: C:\
                                                                • API String ID: 3213498283-3404278061
                                                                • Opcode ID: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                • Instruction ID: a81d310af092f64b8c374c4571b8fed5a60269d48026fa3bbeeaae68e06855d2
                                                                • Opcode Fuzzy Hash: 39b5ed16b6dfe77c974b4e4dad13ac827778716fd50118a58326aa52b160bb8b
                                                                • Instruction Fuzzy Hash: 71F09661904F542BFB3293648C4CB776B8DCF55351F28947BE6807A6C1C27C59808FEA
                                                                Function 0040541D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsWindowVisible.USER32(?), ref: 0040544C
                                                                • CallWindowProcA.USER32(?,?,?,?), ref: 0040549D
                                                                  • Part of subcall function 00404451: SendMessageA.USER32(00000000,00000000,00000000,00000000), ref: 00404463
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: Window$CallMessageProcSendVisible
                                                                • String ID:
                                                                • API String ID: 3748168415-3916222277
                                                                • Opcode ID: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                • Instruction ID: ce4d6245f7a5538c18ae28323cba1b5bdda0ccdff68052f186ad3da5f1ae13b7
                                                                • Opcode Fuzzy Hash: 14b3d6ef5c2a84fc52750bef5e2e8b29c93878db9a0e482e1958f3e7559ce471
                                                                • Instruction Fuzzy Hash: 2A015E31200608AFDF216F51DD80BAF3A66EB84716F104537FA05761D2C7799CD29F6A
                                                                Function 0040626F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,C:\Windows\wininit.ini,00420530,?,?,?,00000002,C:\Windows\wininit.ini,?,00406527,80000002), ref: 004062B5
                                                                • RegCloseKey.ADVAPI32(?,?,00406527,80000002,Software\Microsoft\Windows\CurrentVersion,C:\Windows\wininit.ini,C:\Windows\wininit.ini,C:\Windows\wininit.ini,?,00420530), ref: 004062C0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CloseQueryValue
                                                                • String ID: C:\Windows\wininit.ini
                                                                • API String ID: 3356406503-2725141966
                                                                • Opcode ID: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                • Instruction ID: 5c8aa4f59809ec7c4ed175be077f356401e74c3ba082423fbe1b6bbc42bea5f4
                                                                • Opcode Fuzzy Hash: b5b3bad3c76d40b2ede80ce474e794f1db4bf40d8bfbb80b5b2804fbfeedd4a0
                                                                • Instruction Fuzzy Hash: 8101BC72100209ABDF229F60CC09FDB3FA8EF45364F01407AFD56A6190D638C974CBA8
                                                                Function 00405D61 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\3D69.exe,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00405D67
                                                                • CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\AppData\Local\Temp,00402FC8,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp,C:\Users\user\AppData\Local\Temp\3D69.exe,C:\Users\user\AppData\Local\Temp\3D69.exe,80000000,00000003), ref: 00405D75
                                                                Strings
                                                                • C:\Users\user\AppData\Local\Temp, xrefs: 00405D61
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: CharPrevlstrlen
                                                                • String ID: C:\Users\user\AppData\Local\Temp
                                                                • API String ID: 2709904686-1943935188
                                                                • Opcode ID: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                • Instruction ID: 27c40c0738421aba4af956c8f0f705930dfe744a77a65273bf6dbb66402e0641
                                                                • Opcode Fuzzy Hash: 46bbde6159133eac16457addd6c3fa88623ef59ff022f94c34d6ba2180d3974b
                                                                • Instruction Fuzzy Hash: CBD0A772409D706EE31353208C04B8F6A48CF13300F0D4063E481A6190C2785C424BFD
                                                                Function 00405E80 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E90
                                                                • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405EA8
                                                                • CharNextA.USER32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EB9
                                                                • lstrlenA.KERNEL32(00000000,?,00000000,004060DB,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405EC2
                                                                Memory Dump Source
                                                                • Source File: 00000008.00000002.4024951970.0000000000401000.00000020.00000001.01000000.00000007.sdmp, Offset: 00400000, based on PE: true
                                                                • Associated: 00000008.00000002.4024918959.0000000000400000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4024993542.0000000000408000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000040A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000422000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.000000000042A000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025025946.0000000000434000.00000004.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000436000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000439000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000446000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000454000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.000000000045B000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                • Associated: 00000008.00000002.4025159068.0000000000462000.00000002.00000001.01000000.00000007.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_8_2_400000_3D69.jbxd
                                                                Similarity
                                                                • API ID: lstrlen$CharNextlstrcmpi
                                                                • String ID:
                                                                • API String ID: 190613189-0
                                                                • Opcode ID: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                • Instruction ID: 98ea32bb50e75ca8be10b873c57fc005eda9f523d07111d413316ed06cfa332a
                                                                • Opcode Fuzzy Hash: 2d92a05f35b020f23b5ffca9bb537fc612b2b61cfc11000e71e0c2b875cbb8c3
                                                                • Instruction Fuzzy Hash: 5FF06235104918AFCB129BA5DD4099EBFA8EF55350B2540B9E880F7211D674DF019BA9

                                                                Execution Graph

                                                                Execution Coverage:1.2%
                                                                Dynamic/Decrypted Code Coverage:23.2%
                                                                Signature Coverage:3.5%
                                                                Total number of Nodes:1454
                                                                Total number of Limit Nodes:103
                                                                execution_graph 145349 633052 145350 633061 145349->145350 145351 63306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 145350->145351 145352 6330ce 145350->145352 145351->145352 145353 34421f5 InitializeCriticalSectionAndSpinCount 145351->145353 145354 3442214 145353->145354 145355 3442219 CreateMutexA 145353->145355 145356 3442235 GetLastError 145355->145356 145357 3442678 ExitProcess 145355->145357 145356->145357 145358 3442246 145356->145358 145431 3443bd2 145358->145431 145360 344264f DeleteCriticalSection 145360->145357 145361 3442251 145361->145360 145435 34447e6 145361->145435 145364 3442647 145365 3443536 2 API calls 145364->145365 145365->145360 145371 34422e0 145458 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145371->145458 145373 34422ef 145459 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145373->145459 145375 34425df 145524 3443d76 EnterCriticalSection 145375->145524 145377 34425f8 145537 3443536 145377->145537 145378 34422fe 145378->145375 145460 34446d4 GetModuleHandleA 145378->145460 145382 3442360 145382->145375 145463 3441f2d GetUserDefaultUILanguage 145382->145463 145383 3443536 2 API calls 145385 3442610 145383->145385 145387 3443536 2 API calls 145385->145387 145389 344261b 145387->145389 145388 34423b4 145388->145354 145392 34423dd ExitProcess 145388->145392 145395 34423e5 145388->145395 145391 3443536 2 API calls 145389->145391 145390 34446d4 2 API calls 145390->145388 145393 3442626 145391->145393 145393->145364 145540 344536d 145393->145540 145396 3442412 ExitProcess 145395->145396 145397 344241a 145395->145397 145398 3442447 ExitProcess 145397->145398 145399 344244f 145397->145399 145474 3444ba2 145399->145474 145407 3442532 145552 3445239 145407->145552 145408 344251f 145409 34435db 11 API calls 145408->145409 145409->145407 145411 3442543 145412 3445239 4 API calls 145411->145412 145413 3442551 145412->145413 145414 3445239 4 API calls 145413->145414 145415 3442561 145414->145415 145416 3445239 4 API calls 145415->145416 145417 3442570 145416->145417 145418 3445239 4 API calls 145417->145418 145419 3442580 145418->145419 145420 3445239 4 API calls 145419->145420 145421 344258f 145420->145421 145556 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145421->145556 145423 3442599 145424 34425b2 145423->145424 145425 34425a2 GetModuleFileNameW 145423->145425 145426 3445239 4 API calls 145424->145426 145425->145424 145427 34425cc 145426->145427 145428 3445239 4 API calls 145427->145428 145429 34425d7 145428->145429 145430 3443536 2 API calls 145429->145430 145430->145375 145432 3443bda 145431->145432 145557 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145432->145557 145434 3443be5 145434->145361 145436 34446d4 2 API calls 145435->145436 145437 3444812 145436->145437 145438 3445239 4 API calls 145437->145438 145443 3442283 145437->145443 145439 3444828 145438->145439 145440 3445239 4 API calls 145439->145440 145441 3444833 145440->145441 145442 3445239 4 API calls 145441->145442 145442->145443 145443->145364 145444 34435db 145443->145444 145558 3442c08 145444->145558 145447 344484b 145448 3444860 VirtualAlloc 145447->145448 145451 34422c4 145447->145451 145449 344487f 145448->145449 145448->145451 145450 34446d4 2 API calls 145449->145450 145452 34448a1 145450->145452 145451->145364 145457 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145451->145457 145452->145451 145453 34448d0 GetCurrentProcess IsWow64Process 145452->145453 145455 3445239 4 API calls 145453->145455 145456 34448fa 145455->145456 145456->145451 145457->145371 145458->145373 145459->145378 145461 34446f2 LoadLibraryA 145460->145461 145462 34446ff 145460->145462 145461->145462 145462->145382 145465 3441fa0 145463->145465 145464 34435db 11 API calls 145466 3441fd8 145464->145466 145465->145464 145467 34435db 11 API calls 145466->145467 145468 3441fe7 GetKeyboardLayoutList 145467->145468 145469 3442042 145468->145469 145473 3442001 145468->145473 145470 34435db 11 API calls 145469->145470 145471 344204e 145470->145471 145471->145388 145471->145390 145472 34435db 11 API calls 145472->145473 145473->145469 145473->145472 145475 3442468 CreateThread CreateThread WaitForMultipleObjects 145474->145475 145476 3444bb8 145474->145476 145501 34419df 145475->145501 145733 3441d3c 145475->145733 145749 344519f 145475->145749 145477 34446d4 2 API calls 145476->145477 145478 3444be9 145477->145478 145478->145475 145479 34446d4 2 API calls 145478->145479 145480 3444bfe 145479->145480 145480->145475 145481 3444c06 KiUserCallbackDispatcher GetSystemMetrics 145480->145481 145482 3444c2b 145481->145482 145483 3444c51 GetDC 145482->145483 145483->145475 145484 3444c65 GetCurrentObject 145483->145484 145485 3444e17 ReleaseDC 145484->145485 145486 3444c78 GetObjectW 145484->145486 145485->145475 145486->145485 145487 3444c8f 145486->145487 145488 34435db 11 API calls 145487->145488 145489 3444caf DeleteObject CreateCompatibleDC 145488->145489 145489->145485 145490 3444d24 CreateDIBSection 145489->145490 145491 3444d45 SelectObject 145490->145491 145492 3444e10 DeleteDC 145490->145492 145493 3444d55 BitBlt 145491->145493 145494 3444e09 DeleteObject 145491->145494 145492->145485 145493->145494 145495 3444d7a 145493->145495 145494->145492 145573 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145495->145573 145497 3444d85 145497->145494 145498 3443d76 10 API calls 145497->145498 145499 3444dfe 145498->145499 145500 3443536 2 API calls 145499->145500 145500->145494 145502 34419ed 145501->145502 145506 3441a26 145501->145506 145504 3441a09 145502->145504 145574 3441000 145502->145574 145505 3441000 57 API calls 145504->145505 145504->145506 145505->145506 145507 3442054 145506->145507 145728 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145507->145728 145509 3442103 GetCurrentHwProfileA 145510 3442117 145509->145510 145511 344212d GetSystemInfo 145509->145511 145512 34435db 11 API calls 145510->145512 145513 34435db 11 API calls 145511->145513 145515 344212a 145512->145515 145516 344214f 145513->145516 145514 3442079 145514->145509 145515->145511 145517 3443536 2 API calls 145516->145517 145518 3442159 GlobalMemoryStatusEx 145517->145518 145519 34435db 11 API calls 145518->145519 145522 3442188 145519->145522 145520 34421db EnumDisplayDevicesA 145521 34421ee ObtainUserAgentString 145520->145521 145520->145522 145521->145407 145521->145408 145522->145520 145523 34435db 11 API calls 145522->145523 145523->145522 145525 3443ea4 LeaveCriticalSection 145524->145525 145526 3443d98 145524->145526 145525->145377 145526->145525 145729 3443d1c 6 API calls 145526->145729 145528 3443dc1 145528->145525 145730 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145528->145730 145530 3443dec 145731 3446c7f EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145530->145731 145532 3443df6 145533 3443536 2 API calls 145532->145533 145534 3443e4f 145533->145534 145535 3443536 2 API calls 145534->145535 145536 3443e9f 145535->145536 145536->145525 145538 3442605 145537->145538 145539 344353a GetProcessHeap RtlFreeHeap 145537->145539 145538->145383 145539->145538 145541 34446d4 2 API calls 145540->145541 145542 34453f0 145541->145542 145543 344546d socket 145542->145543 145551 34453f8 145542->145551 145544 3445491 145543->145544 145543->145551 145545 34454b1 connect 145544->145545 145544->145551 145546 3445517 Sleep 145545->145546 145547 34454c8 send 145545->145547 145546->145544 145547->145546 145548 34454ea send 145547->145548 145548->145546 145549 3445506 145548->145549 145550 3443536 2 API calls 145549->145550 145550->145551 145551->145393 145553 344525c 145552->145553 145554 3445288 145552->145554 145553->145554 145732 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145553->145732 145554->145411 145556->145423 145557->145434 145559 3442c18 145558->145559 145568 3442c26 145558->145568 145570 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145559->145570 145561 3442c76 145562 34422a9 145561->145562 145572 34451f6 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145561->145572 145562->145447 145564 3443036 145565 3443536 2 API calls 145564->145565 145565->145562 145567 3442e29 WideCharToMultiByte 145567->145568 145568->145561 145568->145567 145569 3442eb1 WideCharToMultiByte 145568->145569 145571 3442991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145568->145571 145569->145568 145570->145568 145571->145568 145572->145564 145573->145497 145575 3441412 145574->145575 145576 344101e 145574->145576 145575->145504 145576->145575 145611 344407d GetFileAttributesW 145576->145611 145578 3441035 145578->145575 145612 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145578->145612 145580 3441049 145613 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145580->145613 145582 3441052 145588 34413d5 145582->145588 145614 3443600 145582->145614 145583 3443536 2 API calls 145585 344140b 145583->145585 145586 3443536 2 API calls 145585->145586 145586->145575 145588->145583 145589 34413bd FindNextFileW 145589->145588 145602 3441173 145589->145602 145591 3443600 7 API calls 145591->145602 145592 3443eb6 41 API calls 145592->145602 145593 3441389 145593->145602 145603 3443efc 43 API calls 145593->145603 145606 34440ba 15 API calls 145593->145606 145608 3443600 7 API calls 145593->145608 145671 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145593->145671 145672 3443eb6 145593->145672 145598 3441662 EnterCriticalSection 145679 3444e27 145598->145679 145602->145589 145602->145591 145602->145592 145602->145593 145602->145598 145604 3443d76 10 API calls 145602->145604 145605 3443536 GetProcessHeap RtlFreeHeap 145602->145605 145609 3441000 53 API calls 145602->145609 145617 344446c 145602->145617 145649 344369c 145602->145649 145653 3441a62 145602->145653 145661 3441c94 145602->145661 145668 3441ba5 145602->145668 145705 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145602->145705 145603->145593 145604->145602 145605->145602 145606->145593 145608->145593 145609->145602 145611->145578 145612->145580 145613->145582 145706 3443084 145614->145706 145715 344407d GetFileAttributesW 145617->145715 145619 344447e 145620 34446cd 145619->145620 145716 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145619->145716 145620->145602 145622 3444494 145623 34446c5 145622->145623 145624 3443600 7 API calls 145622->145624 145625 3443536 2 API calls 145623->145625 145626 34444b1 145624->145626 145625->145620 145627 34444cf EnterCriticalSection 145626->145627 145628 3444539 LeaveCriticalSection 145627->145628 145629 344459b 145628->145629 145630 3444552 145628->145630 145629->145623 145631 34445be EnterCriticalSection 145629->145631 145630->145629 145632 344456f 145630->145632 145634 34445f5 LeaveCriticalSection 145631->145634 145718 34442ec 21 API calls 145632->145718 145637 3444691 EnterCriticalSection 145634->145637 145638 344460d 145634->145638 145635 3444574 145635->145629 145636 3444578 145635->145636 145639 3443536 2 API calls 145636->145639 145642 34446ba LeaveCriticalSection 145637->145642 145717 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145638->145717 145641 3444580 145639->145641 145644 344446c 29 API calls 145641->145644 145642->145623 145643 3444617 145643->145637 145646 3444634 EnterCriticalSection 145643->145646 145645 3444594 145644->145645 145645->145620 145647 3444675 LeaveCriticalSection 145646->145647 145647->145637 145648 3444689 145647->145648 145648->145637 145650 34436b0 145649->145650 145652 34436b4 145650->145652 145719 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145650->145719 145652->145602 145654 3441a7a 145653->145654 145656 3441a7f 145653->145656 145720 3441a2d EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145654->145720 145659 3441a84 145656->145659 145721 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145656->145721 145659->145602 145660 3441ab3 145660->145659 145722 3441a4f GetProcessHeap RtlFreeHeap 145660->145722 145662 34446d4 2 API calls 145661->145662 145664 3441ccd 145662->145664 145663 3441cfa 145663->145602 145664->145663 145665 3441cdd CryptUnprotectData 145664->145665 145665->145663 145666 3441d05 145665->145666 145666->145663 145667 3441d0c CryptProtectData 145666->145667 145667->145663 145723 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145668->145723 145670 3441bcb 145670->145602 145671->145593 145673 344446c 37 API calls 145672->145673 145674 3443ecc 145673->145674 145675 3443eeb 145674->145675 145677 3443d76 10 API calls 145674->145677 145676 3443536 2 API calls 145675->145676 145678 3443ef4 145676->145678 145677->145675 145678->145593 145680 3444e8a 145679->145680 145681 3444e49 145679->145681 145689 344167e LeaveCriticalSection 145680->145689 145724 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145680->145724 145682 3443600 7 API calls 145681->145682 145684 3444e80 145682->145684 145726 344407d GetFileAttributesW 145684->145726 145685 3444eaa 145725 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145685->145725 145688 3444eb4 145690 3443600 7 API calls 145688->145690 145689->145602 145691 3444ec2 FindFirstFileW 145690->145691 145692 3445183 145691->145692 145698 3444edf 145691->145698 145693 3443536 2 API calls 145692->145693 145694 344518a 145693->145694 145695 3443536 2 API calls 145694->145695 145695->145689 145696 344516b FindNextFileW 145696->145692 145696->145698 145697 3443600 7 API calls 145697->145698 145698->145696 145698->145697 145700 3444f84 EnterCriticalSection 145698->145700 145703 3444e27 41 API calls 145698->145703 145704 3443eb6 41 API calls 145698->145704 145727 344407d GetFileAttributesW 145698->145727 145701 3444e27 41 API calls 145700->145701 145702 3444f9f LeaveCriticalSection 145701->145702 145702->145696 145703->145698 145704->145698 145705->145602 145708 3443090 145706->145708 145707 3441156 FindFirstFileW 145707->145588 145707->145602 145708->145707 145710 344329d IsDBCSLeadByte 145708->145710 145712 3443308 IsDBCSLeadByte 145708->145712 145713 3443329 MultiByteToWideChar 145708->145713 145714 3442991 WideCharToMultiByte IsDBCSLeadByte WideCharToMultiByte __aulldvrm 145708->145714 145710->145708 145711 34432aa MultiByteToWideChar 145710->145711 145711->145708 145712->145708 145713->145708 145714->145708 145715->145619 145716->145622 145717->145643 145718->145635 145719->145652 145720->145656 145721->145660 145722->145659 145723->145670 145724->145685 145725->145688 145726->145680 145727->145698 145728->145514 145729->145528 145730->145530 145731->145532 145732->145553 145734 3441d54 145733->145734 145735 3441f25 145733->145735 145734->145735 145736 3443600 7 API calls 145734->145736 145737 3441d75 FindFirstFileW 145736->145737 145737->145735 145738 3441d94 145737->145738 145757 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145738->145757 145740 3441f01 FindNextFileW 145741 3441f1c 145740->145741 145743 3441d9e 145740->145743 145742 3443536 2 API calls 145741->145742 145742->145735 145743->145740 145745 3443536 2 API calls 145743->145745 145746 3441d3c 41 API calls 145743->145746 145747 3443600 7 API calls 145743->145747 145748 3443eb6 41 API calls 145743->145748 145758 344408d 145743->145758 145745->145743 145746->145743 145747->145743 145748->145743 145750 34451ad 145749->145750 145751 34451ee 145749->145751 145764 3443508 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145750->145764 145753 34451b7 145754 3444e27 45 API calls 145753->145754 145755 34451e7 145753->145755 145754->145753 145756 3443536 2 API calls 145755->145756 145756->145751 145757->145743 145760 3444095 145758->145760 145759 34440a7 145759->145743 145760->145759 145763 3443657 EnterCriticalSection GetProcessHeap RtlAllocateHeap LeaveCriticalSection 145760->145763 145762 34440b7 145762->145743 145763->145762 145764->145753 145765 67fca5 145767 67fcb9 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock std::locale::_Setgloballocale 145765->145767 145766 67fcbf 145767->145766 145768 67fd40 145767->145768 145796 68762e 39 API calls 3 library calls 145767->145796 145787 6805aa 145768->145787 145772 67fd4e 145774 67fd5b 145772->145774 145797 6805e0 GetModuleHandleW 145774->145797 145776 67fd62 145777 67fd66 145776->145777 145778 67fdd0 145776->145778 145780 67fd6f 145777->145780 145798 68816c 21 API calls std::locale::_Setgloballocale 145777->145798 145800 6881b7 21 API calls std::locale::_Setgloballocale 145778->145800 145799 67ffd0 75 API calls ___scrt_uninitialize_crt 145780->145799 145781 67fdd6 145801 68817b 21 API calls std::locale::_Setgloballocale 145781->145801 145785 67fd77 145785->145766 145786 67fdde 145802 680e90 145787->145802 145789 6805bd GetStartupInfoW 145790 67fd46 145789->145790 145791 687e0a 145790->145791 145803 692f03 145791->145803 145793 687e13 145795 687e4d 145793->145795 145809 6931b6 39 API calls 145793->145809 145795->145772 145796->145768 145797->145776 145798->145780 145799->145785 145800->145781 145801->145786 145802->145789 145804 692f0c 145803->145804 145808 692f3e 145803->145808 145810 68a9ab 145804->145810 145808->145793 145809->145793 145811 68a9b6 145810->145811 145817 68a9bc 145810->145817 145861 68e015 6 API calls __Getctype 145811->145861 145814 68a9d6 145815 68a9da 145814->145815 145816 68a9c2 145814->145816 145863 68db5d 14 API calls 3 library calls 145815->145863 145820 68a9c7 145816->145820 145870 687134 39 API calls std::locale::_Setgloballocale 145816->145870 145817->145816 145862 68e054 6 API calls __Getctype 145817->145862 145838 692d0e 145820->145838 145821 68a9e6 145823 68a9ee 145821->145823 145824 68aa03 145821->145824 145864 68e054 6 API calls __Getctype 145823->145864 145866 68e054 6 API calls __Getctype 145824->145866 145827 68a9fa 145865 68abdb 14 API calls __dosmaperr 145827->145865 145828 68aa0f 145829 68aa22 145828->145829 145830 68aa13 145828->145830 145868 68a71e 14 API calls __Getctype 145829->145868 145867 68e054 6 API calls __Getctype 145830->145867 145834 68aa2d 145869 68abdb 14 API calls __dosmaperr 145834->145869 145835 68aa00 145835->145816 145837 68aa34 145837->145820 145871 692e63 145838->145871 145845 692d78 145896 692f61 145845->145896 145846 692d6a 145907 68abdb 14 API calls __dosmaperr 145846->145907 145849 692d51 145849->145808 145851 692db0 145908 6853de 14 API calls __dosmaperr 145851->145908 145853 692df7 145856 692e40 145853->145856 145911 692987 39 API calls 2 library calls 145853->145911 145854 692db5 145909 68abdb 14 API calls __dosmaperr 145854->145909 145855 692dcb 145855->145853 145910 68abdb 14 API calls __dosmaperr 145855->145910 145912 68abdb 14 API calls __dosmaperr 145856->145912 145861->145817 145862->145814 145863->145821 145864->145827 145865->145835 145866->145828 145867->145827 145868->145834 145869->145837 145872 692e6f ___scrt_is_nonwritable_in_current_image 145871->145872 145874 692e89 145872->145874 145913 6849ca EnterCriticalSection 145872->145913 145875 692d38 145874->145875 145916 687134 39 API calls std::locale::_Setgloballocale 145874->145916 145882 692a95 145875->145882 145876 692ec5 145915 692ee2 LeaveCriticalSection std::_Lockit::~_Lockit 145876->145915 145880 692e99 145880->145876 145914 68abdb 14 API calls __dosmaperr 145880->145914 145917 687178 145882->145917 145884 692aa7 145885 692ac8 145884->145885 145886 692ab6 GetOEMCP 145884->145886 145887 692acd GetACP 145885->145887 145888 692adf 145885->145888 145886->145888 145887->145888 145888->145849 145889 68ac15 145888->145889 145890 68ac53 145889->145890 145894 68ac23 __Getctype 145889->145894 145928 6853de 14 API calls __dosmaperr 145890->145928 145892 68ac3e RtlAllocateHeap 145893 68ac51 145892->145893 145892->145894 145893->145845 145893->145846 145894->145890 145894->145892 145927 687694 EnterCriticalSection LeaveCriticalSection codecvt 145894->145927 145897 692a95 41 API calls 145896->145897 145898 692f81 145897->145898 145900 692fbe IsValidCodePage 145898->145900 145901 693086 145898->145901 145906 692fd9 codecvt 145898->145906 145900->145901 145903 692fd0 145900->145903 145940 68003d 145901->145940 145902 692da5 145902->145851 145902->145855 145904 692ff9 GetCPInfo 145903->145904 145903->145906 145904->145901 145904->145906 145929 692b69 145906->145929 145907->145849 145908->145854 145909->145849 145910->145853 145911->145856 145912->145849 145913->145880 145914->145876 145915->145874 145918 687196 145917->145918 145924 68a8f0 39 API calls 3 library calls 145918->145924 145920 6871b7 145925 68ac63 39 API calls __Getctype 145920->145925 145922 6871cd 145926 68acc1 39 API calls ctype 145922->145926 145924->145920 145925->145922 145927->145894 145928->145893 145930 692b91 GetCPInfo 145929->145930 145939 692c5a 145929->145939 145931 692ba9 145930->145931 145930->145939 145947 68ece1 145931->145947 145933 68003d __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 145935 692d0c 145933->145935 145935->145901 145938 68efd1 44 API calls 145938->145939 145939->145933 145941 680045 145940->145941 145942 680046 IsProcessorFeaturePresent 145940->145942 145941->145902 145944 68072d 145942->145944 146025 6806f0 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 145944->146025 145946 680810 145946->145902 145948 687178 ctype 39 API calls 145947->145948 145949 68ed01 145948->145949 145967 691e03 145949->145967 145951 68ed2e 145952 68edbd 145951->145952 145953 68edb5 145951->145953 145955 68ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145951->145955 145958 68ed53 ctype codecvt 145951->145958 145954 68003d __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 145952->145954 145970 67faaa 14 API calls ___std_exception_copy 145953->145970 145956 68ede0 145954->145956 145955->145958 145962 68efd1 145956->145962 145958->145953 145959 691e03 __fread_nolock MultiByteToWideChar 145958->145959 145960 68ed9c 145959->145960 145960->145953 145961 68eda3 GetStringTypeW 145960->145961 145961->145953 145963 687178 ctype 39 API calls 145962->145963 145964 68efe4 145963->145964 145973 68ede2 145964->145973 145971 691d6b 145967->145971 145970->145952 145972 691d7c MultiByteToWideChar 145971->145972 145972->145951 145974 68edfd ctype 145973->145974 145975 691e03 __fread_nolock MultiByteToWideChar 145974->145975 145978 68ee41 145975->145978 145976 68efbc 145977 68003d __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 145976->145977 145979 68efcf 145977->145979 145978->145976 145980 68ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145978->145980 145982 68ee67 ctype 145978->145982 145993 68ef0f 145978->145993 145979->145938 145980->145982 145983 691e03 __fread_nolock MultiByteToWideChar 145982->145983 145982->145993 145984 68eeb0 145983->145984 145984->145993 146001 68e1d3 145984->146001 145987 68ef1e 145989 68efa7 145987->145989 145990 68ac15 std::_Locinfo::_Locinfo_dtor 15 API calls 145987->145990 145994 68ef30 ctype 145987->145994 145988 68eee6 145992 68e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 145988->145992 145988->145993 146012 67faaa 14 API calls ___std_exception_copy 145989->146012 145990->145994 145992->145993 146013 67faaa 14 API calls ___std_exception_copy 145993->146013 145994->145989 145995 68e1d3 std::_Locinfo::_Locinfo_dtor 7 API calls 145994->145995 145996 68ef73 145995->145996 145996->145989 146010 691ebd WideCharToMultiByte _Fputc 145996->146010 145998 68ef8d 145998->145989 145999 68ef96 145998->145999 146011 67faaa 14 API calls ___std_exception_copy 145999->146011 146014 68dd60 146001->146014 146004 68e20b 146017 68e230 5 API calls std::_Locinfo::_Locinfo_dtor 146004->146017 146005 68e1e4 LCMapStringEx 146009 68e22b 146005->146009 146008 68e224 LCMapStringW 146008->146009 146009->145987 146009->145988 146009->145993 146010->145998 146011->145993 146012->145993 146013->145976 146018 68de5f 146014->146018 146017->146008 146019 68de8f 146018->146019 146020 68dd76 146018->146020 146019->146020 146021 68dd94 __Getctype LoadLibraryExW GetLastError LoadLibraryExW FreeLibrary 146019->146021 146020->146004 146020->146005 146022 68dea3 146021->146022 146022->146020 146023 68dea9 GetProcAddress 146022->146023 146023->146020 146024 68deb9 __Getctype 146023->146024 146024->146020 146025->145946 146026 62f3c4 146044 62f3cd 146026->146044 146027 62f698 std::runtime_error::runtime_error _strlen 146028 62f6f6 InternetOpenUrlA 146027->146028 146029 62f782 InternetReadFile 146028->146029 146030 62f734 FreeLibrary 146028->146030 146031 62f7b2 146029->146031 146032 62f7bb FreeLibrary 146029->146032 146038 62f75f 146030->146038 146031->146029 146031->146032 146049 634c60 146031->146049 146047 62f82a std::ios_base::failure::failure 146032->146047 146033 62f5c9 146036 62f6a0 146033->146036 146037 62f676 146033->146037 146056 684870 15 API calls 146036->146056 146055 684870 15 API calls 146037->146055 146057 624120 39 API calls task 146038->146057 146044->146027 146044->146033 146053 621d90 15 API calls 146044->146053 146054 621de0 20 API calls 146044->146054 146045 62f77a 146058 624120 39 API calls task 146047->146058 146050 634ccd 146049->146050 146052 634c80 std::ios_base::failure::failure std::runtime_error::runtime_error Concurrency::task_continuation_context::task_continuation_context 146049->146052 146050->146052 146059 6219b0 146050->146059 146052->146031 146053->146044 146054->146044 146055->146027 146056->146027 146057->146045 146058->146045 146060 6219d0 Concurrency::task_continuation_context::task_continuation_context 146059->146060 146062 6219dd task Concurrency::task_continuation_context::task_continuation_context 146060->146062 146070 633fc0 41 API calls std::_Xinvalid_argument 146060->146070 146067 6213d0 146062->146067 146064 621a16 std::ios_base::failure::failure shared_ptr std::runtime_error::runtime_error 146066 621a89 std::ios_base::failure::failure Concurrency::task_continuation_context::task_continuation_context 146064->146066 146071 633410 39 API calls allocator 146064->146071 146066->146052 146072 6213b0 146067->146072 146069 6213f0 allocator std::runtime_error::runtime_error Concurrency::task_continuation_context::task_continuation_context 146069->146064 146070->146062 146071->146066 146075 634bc0 146072->146075 146076 634bd0 allocator 146075->146076 146079 621370 146076->146079 146081 621378 allocator 146079->146081 146080 621396 146083 621391 146080->146083 146094 633220 146080->146094 146081->146080 146082 621388 146081->146082 146086 621460 146082->146086 146083->146069 146087 621477 146086->146087 146088 62147c 146086->146088 146097 633d80 RaiseException stdext::threads::lock_error::lock_error std::ios_base::clear 146087->146097 146090 633220 allocator 16 API calls 146088->146090 146092 621485 146090->146092 146093 6214a0 146092->146093 146098 68458f 39 API calls 2 library calls 146092->146098 146093->146083 146099 67fb05 146094->146099 146097->146088 146101 67fb0a 146099->146101 146102 63322c 146101->146102 146105 67fb26 codecvt 146101->146105 146109 684a40 146101->146109 146116 687694 EnterCriticalSection LeaveCriticalSection codecvt 146101->146116 146102->146083 146104 680371 stdext::threads::lock_error::lock_error 146118 68106c RaiseException 146104->146118 146105->146104 146117 68106c RaiseException 146105->146117 146107 68038e 146111 68ac15 __Getctype 146109->146111 146110 68ac53 146120 6853de 14 API calls __dosmaperr 146110->146120 146111->146110 146113 68ac3e RtlAllocateHeap 146111->146113 146119 687694 EnterCriticalSection LeaveCriticalSection codecvt 146111->146119 146113->146111 146114 68ac51 146113->146114 146114->146101 146116->146101 146117->146104 146118->146107 146119->146111 146120->146114 146121 67fe5f 146122 67fe68 146121->146122 146129 68013c IsProcessorFeaturePresent 146122->146129 146124 67fe74 146130 682f0e 10 API calls 2 library calls 146124->146130 146126 67fe7d 146127 67fe79 146127->146126 146131 682f2d 7 API calls 2 library calls 146127->146131 146129->146124 146130->146127 146131->146126 146132 635d29 146142 635d32 146132->146142 146134 636006 146407 684870 15 API calls 146134->146407 146135 635fdc 146406 684870 15 API calls 146135->146406 146136 635f2e 146136->146134 146136->146135 146141 636250 146143 636327 146141->146143 146144 6362fd 146141->146144 146142->146136 146153 635ffe 146142->146153 146404 621d90 15 API calls 146142->146404 146405 621de0 20 API calls 146142->146405 146411 684870 15 API calls 146143->146411 146410 684870 15 API calls 146144->146410 146145 636562 146150 636639 146145->146150 146151 63660f 146145->146151 146415 684870 15 API calls 146150->146415 146414 684870 15 API calls 146151->146414 146153->146141 146163 63631f 146153->146163 146373 63c4b7 146153->146373 146408 621d90 15 API calls 146153->146408 146409 621de0 20 API calls 146153->146409 146156 636880 146158 636958 146156->146158 146159 63692e 146156->146159 146419 684870 15 API calls 146158->146419 146418 684870 15 API calls 146159->146418 146161 636b93 146166 636c41 146161->146166 146167 636c6b 146161->146167 146163->146145 146171 636631 146163->146171 146412 621d90 15 API calls 146163->146412 146413 621de0 20 API calls 146163->146413 146422 684870 15 API calls 146166->146422 146423 684870 15 API calls 146167->146423 146169 636eb7 146174 636f64 146169->146174 146175 636f8e 146169->146175 146171->146156 146178 636950 146171->146178 146416 621d90 15 API calls 146171->146416 146417 621de0 20 API calls 146171->146417 146426 684870 15 API calls 146174->146426 146427 684870 15 API calls 146175->146427 146176 6371c9 146182 6372a0 146176->146182 146183 637276 146176->146183 146178->146161 146184 636c63 146178->146184 146420 621d90 15 API calls 146178->146420 146421 621de0 20 API calls 146178->146421 146431 684870 15 API calls 146182->146431 146430 684870 15 API calls 146183->146430 146184->146169 146196 636f86 146184->146196 146424 621d90 15 API calls 146184->146424 146425 621de0 20 API calls 146184->146425 146188 6374e7 146190 637595 146188->146190 146191 6375bf 146188->146191 146434 684870 15 API calls 146190->146434 146435 684870 15 API calls 146191->146435 146194 6377fa 146198 6378d2 146194->146198 146199 6378a8 146194->146199 146196->146176 146203 637298 146196->146203 146428 621d90 15 API calls 146196->146428 146429 621de0 20 API calls 146196->146429 146439 684870 15 API calls 146198->146439 146438 684870 15 API calls 146199->146438 146201 637b0d 146206 637be5 146201->146206 146207 637bbb 146201->146207 146203->146188 146211 6375b7 146203->146211 146432 621d90 15 API calls 146203->146432 146433 621de0 20 API calls 146203->146433 146443 684870 15 API calls 146206->146443 146442 684870 15 API calls 146207->146442 146208 637e20 146216 637ef8 146208->146216 146217 637ece 146208->146217 146210 638203 146215 638516 146210->146215 146234 638446 146210->146234 146452 621d90 15 API calls 146210->146452 146453 621de0 20 API calls 146210->146453 146211->146194 146221 6378ca 146211->146221 146436 621d90 15 API calls 146211->146436 146437 621de0 20 API calls 146211->146437 146228 638759 146215->146228 146259 638829 146215->146259 146456 621d90 15 API calls 146215->146456 146457 621de0 20 API calls 146215->146457 146447 684870 15 API calls 146216->146447 146446 684870 15 API calls 146217->146446 146218 638b71 VirtualAlloc 146274 638ba8 146218->146274 146219 637bdd 146219->146208 146229 637ef0 146219->146229 146444 621d90 15 API calls 146219->146444 146445 621de0 20 API calls 146219->146445 146220 638133 146226 6381e1 146220->146226 146227 63820b 146220->146227 146221->146201 146221->146219 146440 621d90 15 API calls 146221->146440 146441 621de0 20 API calls 146221->146441 146450 684870 15 API calls 146226->146450 146451 684870 15 API calls 146227->146451 146241 638831 146228->146241 146242 638807 146228->146242 146229->146210 146229->146220 146448 621d90 15 API calls 146229->146448 146449 621de0 20 API calls 146229->146449 146235 6384f4 146234->146235 146236 63851e 146234->146236 146454 684870 15 API calls 146235->146454 146455 684870 15 API calls 146236->146455 146459 684870 15 API calls 146241->146459 146458 684870 15 API calls 146242->146458 146247 6397c2 146263 639815 VirtualAlloc 146247->146263 146302 63985a 146247->146302 146248 638a6c 146249 638b44 146248->146249 146250 638b1a 146248->146250 146463 684870 15 API calls 146249->146463 146462 684870 15 API calls 146250->146462 146255 638e91 146467 684870 15 API calls 146255->146467 146256 638e67 146466 684870 15 API calls 146256->146466 146257 638b3c 146257->146218 146258 638db3 146258->146255 146258->146256 146259->146218 146259->146248 146460 621d90 15 API calls 146259->146460 146461 621de0 20 API calls 146259->146461 146266 63983f 146263->146266 146263->146302 146264 6390cc 146268 6391a4 146264->146268 146269 63917a 146264->146269 146480 68106c RaiseException 146266->146480 146267 638e89 146267->146264 146287 63919c 146267->146287 146468 621d90 15 API calls 146267->146468 146469 621de0 20 API calls 146267->146469 146471 684870 15 API calls 146268->146471 146470 684870 15 API calls 146269->146470 146271 6393df 146277 6394b7 146271->146277 146278 63948d 146271->146278 146274->146258 146274->146267 146464 621d90 15 API calls 146274->146464 146465 621de0 20 API calls 146274->146465 146475 684870 15 API calls 146277->146475 146474 684870 15 API calls 146278->146474 146280 6396f2 146284 6397a0 146280->146284 146285 6397ca 146280->146285 146478 684870 15 API calls 146284->146478 146479 684870 15 API calls 146285->146479 146287->146271 146290 6394af 146287->146290 146472 621d90 15 API calls 146287->146472 146473 621de0 20 API calls 146287->146473 146290->146247 146290->146280 146476 621d90 15 API calls 146290->146476 146477 621de0 20 API calls 146290->146477 146291 639a68 146293 639b40 146291->146293 146294 639b16 146291->146294 146484 684870 15 API calls 146293->146484 146483 684870 15 API calls 146294->146483 146298 639d7b 146300 639e53 146298->146300 146301 639e29 146298->146301 146488 684870 15 API calls 146300->146488 146487 684870 15 API calls 146301->146487 146302->146291 146313 639b38 146302->146313 146481 621d90 15 API calls 146302->146481 146482 621de0 20 API calls 146302->146482 146305 63a09a 146308 63a172 146305->146308 146309 63a148 146305->146309 146492 684870 15 API calls 146308->146492 146491 684870 15 API calls 146309->146491 146311 63a3ad 146316 63a485 146311->146316 146317 63a45b 146311->146317 146313->146298 146321 639e4b 146313->146321 146485 621d90 15 API calls 146313->146485 146486 621de0 20 API calls 146313->146486 146496 684870 15 API calls 146316->146496 146495 684870 15 API calls 146317->146495 146319 63a6ca 146324 63a7a2 146319->146324 146325 63a778 146319->146325 146321->146305 146327 63a16a 146321->146327 146489 621d90 15 API calls 146321->146489 146490 621de0 20 API calls 146321->146490 146500 684870 15 API calls 146324->146500 146499 684870 15 API calls 146325->146499 146327->146311 146334 63a47d 146327->146334 146493 621d90 15 API calls 146327->146493 146494 621de0 20 API calls 146327->146494 146331 63aab5 146504 684870 15 API calls 146331->146504 146332 63aa8b 146503 684870 15 API calls 146332->146503 146333 63a9dd 146333->146331 146333->146332 146334->146319 146345 63a79a 146334->146345 146497 621d90 15 API calls 146334->146497 146498 621de0 20 API calls 146334->146498 146338 63ad04 146340 63adb2 146338->146340 146341 63addc 146338->146341 146507 684870 15 API calls 146340->146507 146508 684870 15 API calls 146341->146508 146343 63b017 146348 63b0c5 146343->146348 146349 63b0ef 146343->146349 146345->146333 146353 63aaad 146345->146353 146501 621d90 15 API calls 146345->146501 146502 621de0 20 API calls 146345->146502 146511 684870 15 API calls 146348->146511 146512 684870 15 API calls 146349->146512 146351 63b336 146356 63b3e4 146351->146356 146357 63b40e 146351->146357 146353->146338 146360 63add4 146353->146360 146505 621d90 15 API calls 146353->146505 146506 621de0 20 API calls 146353->146506 146515 684870 15 API calls 146356->146515 146516 684870 15 API calls 146357->146516 146358 63b661 146364 63b715 146358->146364 146365 63b73f 146358->146365 146360->146343 146366 63b0e7 146360->146366 146509 621d90 15 API calls 146360->146509 146510 621de0 20 API calls 146360->146510 146519 684870 15 API calls 146364->146519 146520 684870 15 API calls 146365->146520 146366->146351 146372 63b406 146366->146372 146513 621d90 15 API calls 146366->146513 146514 621de0 20 API calls 146366->146514 146371 63b9af 146374 63ba63 146371->146374 146375 63ba8d 146371->146375 146372->146358 146384 63b737 _Yarn 146372->146384 146517 621d90 15 API calls 146372->146517 146518 621de0 20 API calls 146372->146518 146523 684870 15 API calls 146374->146523 146524 684870 15 API calls 146375->146524 146378 63bce0 146381 63bd94 146378->146381 146382 63bdbe 146378->146382 146527 684870 15 API calls 146381->146527 146528 684870 15 API calls 146382->146528 146384->146371 146389 63ba85 146384->146389 146521 621d90 15 API calls 146384->146521 146522 621de0 20 API calls 146384->146522 146388 63c0b2 146390 63c165 146388->146390 146391 63c18f 146388->146391 146389->146378 146400 63bdb6 _Yarn 146389->146400 146525 621d90 15 API calls 146389->146525 146526 621de0 20 API calls 146389->146526 146531 684870 15 API calls 146390->146531 146532 684870 15 API calls 146391->146532 146393 63c3e2 146397 63c495 146393->146397 146398 63c4bf 146393->146398 146535 684870 15 API calls 146397->146535 146536 684870 15 API calls 146398->146536 146400->146388 146403 63c187 146400->146403 146529 621d90 15 API calls 146400->146529 146530 621de0 20 API calls 146400->146530 146403->146373 146403->146393 146533 621d90 15 API calls 146403->146533 146534 621de0 20 API calls 146403->146534 146404->146142 146405->146142 146406->146153 146407->146153 146408->146153 146409->146153 146410->146163 146411->146163 146412->146163 146413->146163 146414->146171 146415->146171 146416->146171 146417->146171 146418->146178 146419->146178 146420->146178 146421->146178 146422->146184 146423->146184 146424->146184 146425->146184 146426->146196 146427->146196 146428->146196 146429->146196 146430->146203 146431->146203 146432->146203 146433->146203 146434->146211 146435->146211 146436->146211 146437->146211 146438->146221 146439->146221 146440->146221 146441->146221 146442->146219 146443->146219 146444->146219 146445->146219 146446->146229 146447->146229 146448->146229 146449->146229 146450->146210 146451->146210 146452->146210 146453->146210 146454->146215 146455->146215 146456->146215 146457->146215 146458->146259 146459->146259 146460->146259 146461->146259 146462->146257 146463->146257 146464->146274 146465->146274 146466->146267 146467->146267 146468->146267 146469->146267 146470->146287 146471->146287 146472->146287 146473->146287 146474->146290 146475->146290 146476->146290 146477->146290 146478->146247 146479->146247 146480->146302 146481->146302 146482->146302 146483->146313 146484->146313 146485->146313 146486->146313 146487->146321 146488->146321 146489->146321 146490->146321 146491->146327 146492->146327 146493->146327 146494->146327 146495->146334 146496->146334 146497->146334 146498->146334 146499->146345 146500->146345 146501->146345 146502->146345 146503->146353 146504->146353 146505->146353 146506->146353 146507->146360 146508->146360 146509->146360 146510->146360 146511->146366 146512->146366 146513->146366 146514->146366 146515->146372 146516->146372 146517->146372 146518->146372 146519->146384 146520->146384 146521->146384 146522->146384 146523->146389 146524->146389 146525->146389 146526->146389 146527->146400 146528->146400 146529->146400 146530->146400 146531->146403 146532->146403 146533->146403 146534->146403 146535->146373 146536->146373 146537 6314b9 146540 6314c2 146537->146540 146539 6317b3 146549 6319ac 146539->146549 146569 631a7c 146539->146569 146654 621d90 15 API calls 146539->146654 146655 621de0 20 API calls 146539->146655 146542 6316a9 146540->146542 146548 631779 146540->146548 146650 621d90 15 API calls 146540->146650 146651 621de0 20 API calls 146540->146651 146543 631781 146542->146543 146544 631757 146542->146544 146653 684870 15 API calls 146543->146653 146652 684870 15 API calls 146544->146652 146615 633fe0 146548->146615 146551 631a84 146549->146551 146552 631a5a 146549->146552 146657 684870 15 API calls 146551->146657 146656 684870 15 API calls 146552->146656 146557 631d97 146661 684870 15 API calls 146557->146661 146558 631d6d 146660 684870 15 API calls 146558->146660 146559 631cbf 146559->146557 146559->146558 146563 631fd2 146565 632080 146563->146565 146566 6320aa 146563->146566 146664 684870 15 API calls 146565->146664 146665 684870 15 API calls 146566->146665 146569->146559 146576 631d8f 146569->146576 146658 621d90 15 API calls 146569->146658 146659 621de0 20 API calls 146569->146659 146572 6323c4 146669 684870 15 API calls 146572->146669 146573 63239a 146668 684870 15 API calls 146573->146668 146574 6322ed 146574->146572 146574->146573 146576->146563 146585 6320a2 146576->146585 146662 621d90 15 API calls 146576->146662 146663 621de0 20 API calls 146576->146663 146579 6325ff 146581 6326d6 146579->146581 146582 6326ac 146579->146582 146673 684870 15 API calls 146581->146673 146672 684870 15 API calls 146582->146672 146585->146574 146592 6323bc 146585->146592 146666 621d90 15 API calls 146585->146666 146667 621de0 20 API calls 146585->146667 146588 632911 146590 6329e8 146588->146590 146591 6329be 146588->146591 146589 633011 146596 63306a LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 146589->146596 146597 6330ce 146589->146597 146677 684870 15 API calls 146590->146677 146676 684870 15 API calls 146591->146676 146592->146579 146598 6326ce 146592->146598 146670 621d90 15 API calls 146592->146670 146671 621de0 20 API calls 146592->146671 146596->146597 146702 34421f5 99 API calls 146596->146702 146598->146588 146610 6329e0 146598->146610 146674 621d90 15 API calls 146598->146674 146675 621de0 20 API calls 146598->146675 146600 632c26 146601 632cd3 146600->146601 146602 632cfd 146600->146602 146680 684870 15 API calls 146601->146680 146681 684870 15 API calls 146602->146681 146604 632f42 146608 633019 146604->146608 146609 632fef 146604->146609 146685 684870 15 API calls 146608->146685 146684 684870 15 API calls 146609->146684 146610->146600 146614 632cf5 146610->146614 146678 621d90 15 API calls 146610->146678 146679 621de0 20 API calls 146610->146679 146614->146589 146614->146604 146682 621d90 15 API calls 146614->146682 146683 621de0 20 API calls 146614->146683 146628 63400f 146615->146628 146616 634bae 146616->146539 146617 6341c0 146619 634274 146617->146619 146620 63424a 146617->146620 146691 684870 15 API calls 146619->146691 146690 684870 15 API calls 146620->146690 146624 634473 146626 634527 146624->146626 146627 6344fd 146624->146627 146695 684870 15 API calls 146626->146695 146694 684870 15 API calls 146627->146694 146628->146617 146638 63426c 146628->146638 146688 621d90 15 API calls 146628->146688 146689 621de0 20 API calls 146628->146689 146631 634717 146634 6347a1 146631->146634 146635 6347cb 146631->146635 146698 684870 15 API calls 146634->146698 146699 684870 15 API calls 146635->146699 146638->146624 146642 63451f 146638->146642 146692 621d90 15 API calls 146638->146692 146693 621de0 20 API calls 146638->146693 146641 6349bb 146641->146616 146643 634a6d GetModuleHandleA GetProcAddress 146641->146643 146642->146631 146645 6347c3 146642->146645 146696 621d90 15 API calls 146642->146696 146697 621de0 20 API calls 146642->146697 146646 634a9f _Yarn 146643->146646 146645->146641 146700 621d90 15 API calls 146645->146700 146701 621de0 20 API calls 146645->146701 146647 634b3a VirtualProtect VirtualProtect 146646->146647 146686 680910 146647->146686 146649 634b84 VirtualProtect 146649->146616 146650->146540 146651->146540 146652->146548 146653->146548 146654->146539 146655->146539 146656->146569 146657->146569 146658->146569 146659->146569 146660->146576 146661->146576 146662->146576 146663->146576 146664->146585 146665->146585 146666->146585 146667->146585 146668->146592 146669->146592 146670->146592 146671->146592 146672->146598 146673->146598 146674->146598 146675->146598 146676->146610 146677->146610 146678->146610 146679->146610 146680->146614 146681->146614 146682->146614 146683->146614 146684->146589 146685->146589 146687 680928 146686->146687 146687->146649 146687->146687 146688->146628 146689->146628 146690->146638 146691->146638 146692->146638 146693->146638 146694->146642 146695->146642 146696->146642 146697->146642 146698->146645 146699->146645 146700->146645 146701->146645 146703 625ed9 146714 625ee2 146703->146714 146704 6261f5 LoadLibraryA 146705 626205 146704->146705 146728 62621e 146704->146728 146707 6261b6 147121 684870 15 API calls 146707->147121 146708 62618c 147120 684870 15 API calls 146708->147120 146709 6260de 146709->146707 146709->146708 146713 6261ae 146713->146704 146714->146709 146714->146713 147118 621d90 15 API calls 146714->147118 147119 621de0 20 API calls 146714->147119 146715 62680d 146716 626854 GetProcAddress 146715->146716 146742 626877 146716->146742 146717 62642c 146719 626503 146717->146719 146720 6264d9 146717->146720 147125 684870 15 API calls 146719->147125 147124 684870 15 API calls 146720->147124 146722 62673e 146726 626815 146722->146726 146727 6267eb 146722->146727 147129 684870 15 API calls 146726->147129 147128 684870 15 API calls 146727->147128 146728->146717 146732 6264fb 146728->146732 147122 621d90 15 API calls 146728->147122 147123 621de0 20 API calls 146728->147123 146732->146715 146732->146722 147126 621d90 15 API calls 146732->147126 147127 621de0 20 API calls 146732->147127 146734 626b21 147132 684870 15 API calls 146734->147132 146735 626b4b 147133 684870 15 API calls 146735->147133 146736 626a73 146736->146734 146736->146735 146740 626d86 146743 626e34 146740->146743 146744 626e5e 146740->146744 146742->146736 146752 626b43 146742->146752 147130 621d90 15 API calls 146742->147130 147131 621de0 20 API calls 146742->147131 147136 684870 15 API calls 146743->147136 147137 684870 15 API calls 146744->147137 146749 627171 147141 684870 15 API calls 146749->147141 146750 627147 147140 684870 15 API calls 146750->147140 146751 627099 146751->146749 146751->146750 146752->146740 146763 626e56 146752->146763 147134 621d90 15 API calls 146752->147134 147135 621de0 20 API calls 146752->147135 146757 6273ac 146758 627484 146757->146758 146759 62745a 146757->146759 147145 684870 15 API calls 146758->147145 147144 684870 15 API calls 146759->147144 146761 6276bf 146766 627797 146761->146766 146767 62776d 146761->146767 146763->146751 146770 627169 146763->146770 147138 621d90 15 API calls 146763->147138 147139 621de0 20 API calls 146763->147139 147149 684870 15 API calls 146766->147149 147148 684870 15 API calls 146767->147148 146770->146757 146778 62747c 146770->146778 147142 621d90 15 API calls 146770->147142 147143 621de0 20 API calls 146770->147143 146773 6279d2 146774 627a80 146773->146774 146775 627aaa 146773->146775 147152 684870 15 API calls 146774->147152 147153 684870 15 API calls 146775->147153 146776 627ce5 146782 627d93 146776->146782 146783 627dbd 146776->146783 146778->146761 146784 62778f 146778->146784 147146 621d90 15 API calls 146778->147146 147147 621de0 20 API calls 146778->147147 147156 684870 15 API calls 146782->147156 147157 684870 15 API calls 146783->147157 146784->146773 146797 627aa2 146784->146797 147150 621d90 15 API calls 146784->147150 147151 621de0 20 API calls 146784->147151 146788 6286ee 146791 628735 GetProcAddress 146788->146791 146789 627ff8 146792 6280d0 146789->146792 146793 6280a6 146789->146793 146826 628758 146791->146826 147161 684870 15 API calls 146792->147161 147160 684870 15 API calls 146793->147160 146795 62830b 146800 6283e3 146795->146800 146801 6283b9 146795->146801 146797->146776 146805 627db5 146797->146805 147154 621d90 15 API calls 146797->147154 147155 621de0 20 API calls 146797->147155 147165 684870 15 API calls 146800->147165 147164 684870 15 API calls 146801->147164 146803 62861e 146808 6286f6 146803->146808 146809 6286cc 146803->146809 146805->146789 146811 6280c8 146805->146811 147158 621d90 15 API calls 146805->147158 147159 621de0 20 API calls 146805->147159 147169 684870 15 API calls 146808->147169 147168 684870 15 API calls 146809->147168 146811->146795 146814 6283db 146811->146814 147162 621d90 15 API calls 146811->147162 147163 621de0 20 API calls 146811->147163 146814->146788 146814->146803 147166 621d90 15 API calls 146814->147166 147167 621de0 20 API calls 146814->147167 146815 628954 146817 628a02 146815->146817 146818 628a2c 146815->146818 147172 684870 15 API calls 146817->147172 147173 684870 15 API calls 146818->147173 146823 628d15 147176 684870 15 API calls 146823->147176 146824 628d3f 147177 684870 15 API calls 146824->147177 146825 628c67 146825->146823 146825->146824 146826->146815 146837 628a24 146826->146837 147170 621d90 15 API calls 146826->147170 147171 621de0 20 API calls 146826->147171 146830 628f7a 146832 629052 146830->146832 146833 629028 146830->146833 147181 684870 15 API calls 146832->147181 147180 684870 15 API calls 146833->147180 146835 6299a1 146842 6299e8 GetProcAddress 146835->146842 146837->146825 146847 628d37 146837->146847 147174 621d90 15 API calls 146837->147174 147175 621de0 20 API calls 146837->147175 146840 629365 147185 684870 15 API calls 146840->147185 146841 62933b 147184 684870 15 API calls 146841->147184 146878 629a14 146842->146878 146843 62928d 146843->146840 146843->146841 146845 6295a0 146850 629678 146845->146850 146851 62964e 146845->146851 146847->146830 146853 62904a 146847->146853 147178 621d90 15 API calls 146847->147178 147179 621de0 20 API calls 146847->147179 147189 684870 15 API calls 146850->147189 147188 684870 15 API calls 146851->147188 146853->146843 146857 62935d 146853->146857 147182 621d90 15 API calls 146853->147182 147183 621de0 20 API calls 146853->147183 146857->146845 146864 629670 146857->146864 147186 621d90 15 API calls 146857->147186 147187 621de0 20 API calls 146857->147187 146858 6299a9 147193 684870 15 API calls 146858->147193 146859 62997f 147192 684870 15 API calls 146859->147192 146860 6298cb 146860->146858 146860->146859 146864->146835 146864->146860 147190 621d90 15 API calls 146864->147190 147191 621de0 20 API calls 146864->147191 146866 629c1f 146867 629cd2 146866->146867 146868 629cfc 146866->146868 147196 684870 15 API calls 146867->147196 147197 684870 15 API calls 146868->147197 146870 629f4f 146874 62a002 146870->146874 146875 62a02c 146870->146875 147200 684870 15 API calls 146874->147200 147201 684870 15 API calls 146875->147201 146878->146866 146886 629cf4 146878->146886 147194 621d90 15 API calls 146878->147194 147195 621de0 20 API calls 146878->147195 146881 62a27f 146882 62a332 146881->146882 146883 62a35c 146881->146883 147204 684870 15 API calls 146882->147204 147205 684870 15 API calls 146883->147205 146884 62a5af 146890 62a662 146884->146890 146891 62a68c 146884->146891 146886->146870 146893 62a024 146886->146893 147198 621d90 15 API calls 146886->147198 147199 621de0 20 API calls 146886->147199 147208 684870 15 API calls 146890->147208 147209 684870 15 API calls 146891->147209 146892 62ace4 146899 62af3f 146892->146899 146935 62b014 146892->146935 147218 621d90 15 API calls 146892->147218 147219 621de0 20 API calls 146892->147219 146893->146881 146910 62a354 146893->146910 147202 621d90 15 API calls 146893->147202 147203 621de0 20 API calls 146893->147203 146898 62a8df 146901 62a992 146898->146901 146902 62a9bc 146898->146902 146917 62aff2 146899->146917 146918 62b01c 146899->146918 146900 62a684 146900->146898 146907 62a9b4 146900->146907 147210 621d90 15 API calls 146900->147210 147211 621de0 20 API calls 146900->147211 147212 684870 15 API calls 146901->147212 147213 684870 15 API calls 146902->147213 146905 62b674 146919 62b6bb GetProcAddress 146905->146919 146907->146892 146909 62ac0f 146907->146909 147214 621d90 15 API calls 146907->147214 147215 621de0 20 API calls 146907->147215 146911 62acc2 146909->146911 146912 62acec 146909->146912 146910->146884 146910->146900 147206 621d90 15 API calls 146910->147206 147207 621de0 20 API calls 146910->147207 147216 684870 15 API calls 146911->147216 147217 684870 15 API calls 146912->147217 147220 684870 15 API calls 146917->147220 147221 684870 15 API calls 146918->147221 146950 62b6e7 146919->146950 146921 62b26f 146925 62b322 146921->146925 146926 62b34c 146921->146926 147224 684870 15 API calls 146925->147224 147225 684870 15 API calls 146926->147225 146931 62b652 147228 684870 15 API calls 146931->147228 146932 62b67c 147229 684870 15 API calls 146932->147229 146933 62b344 146933->146905 146934 62b59f 146933->146934 147226 621d90 15 API calls 146933->147226 147227 621de0 20 API calls 146933->147227 146934->146931 146934->146932 146935->146921 146935->146933 147222 621d90 15 API calls 146935->147222 147223 621de0 20 API calls 146935->147223 146940 62b8f2 146942 62b9d0 146940->146942 146943 62b9a6 146940->146943 146941 62c68c 146944 62c6e5 FreeLibrary 146941->146944 146994 62c708 146941->146994 147233 684870 15 API calls 146942->147233 147232 684870 15 API calls 146943->147232 146944->146705 146949 62bc23 146951 62bd01 146949->146951 146952 62bcd7 146949->146952 146950->146940 146962 62b9c8 146950->146962 147230 621d90 15 API calls 146950->147230 147231 621de0 20 API calls 146950->147231 147237 684870 15 API calls 146951->147237 147236 684870 15 API calls 146952->147236 146957 62bf54 146958 62c032 146957->146958 146959 62c008 146957->146959 147241 684870 15 API calls 146958->147241 147240 684870 15 API calls 146959->147240 146960 62c285 146966 62c363 146960->146966 146967 62c339 146960->146967 146962->146949 146968 62bcf9 146962->146968 147234 621d90 15 API calls 146962->147234 147235 621de0 20 API calls 146962->147235 147245 684870 15 API calls 146966->147245 147244 684870 15 API calls 146967->147244 146968->146957 146978 62c02a 146968->146978 147238 621d90 15 API calls 146968->147238 147239 621de0 20 API calls 146968->147239 146972 62c5b6 146974 62c694 146972->146974 146975 62c66a 146972->146975 147249 684870 15 API calls 146974->147249 147248 684870 15 API calls 146975->147248 146978->146960 146980 62c35b 146978->146980 147242 621d90 15 API calls 146978->147242 147243 621de0 20 API calls 146978->147243 146980->146941 146980->146972 147246 621d90 15 API calls 146980->147246 147247 621de0 20 API calls 146980->147247 146982 62c92e 146983 62c9e1 146982->146983 146984 62ca0b 146982->146984 147252 684870 15 API calls 146983->147252 147253 684870 15 API calls 146984->147253 146989 62cd11 147256 684870 15 API calls 146989->147256 146990 62cd3b 147257 684870 15 API calls 146990->147257 146991 62cc5e 146991->146989 146991->146990 146994->146982 147001 62ca03 146994->147001 147250 621d90 15 API calls 146994->147250 147251 621de0 20 API calls 146994->147251 146997 62cf8e 146998 62d041 146997->146998 146999 62d06b 146997->146999 147260 684870 15 API calls 146998->147260 147261 684870 15 API calls 146999->147261 147001->146991 147008 62cd33 147001->147008 147254 621d90 15 API calls 147001->147254 147255 621de0 20 API calls 147001->147255 147005 62d2be 147006 62d371 147005->147006 147007 62d39b 147005->147007 147264 684870 15 API calls 147006->147264 147265 684870 15 API calls 147007->147265 147008->146997 147017 62d063 147008->147017 147258 621d90 15 API calls 147008->147258 147259 621de0 20 API calls 147008->147259 147012 62d5ee 147014 62d6a1 147012->147014 147015 62d6cb 147012->147015 147268 684870 15 API calls 147014->147268 147269 684870 15 API calls 147015->147269 147017->147005 147020 62d393 147017->147020 147262 621d90 15 API calls 147017->147262 147263 621de0 20 API calls 147017->147263 147020->147012 147034 62d6c3 147020->147034 147266 621d90 15 API calls 147020->147266 147267 621de0 20 API calls 147020->147267 147022 62d936 147023 62da13 147022->147023 147024 62d9e9 147022->147024 147273 684870 15 API calls 147023->147273 147272 684870 15 API calls 147024->147272 147026 62dc66 147030 62dd43 147026->147030 147031 62dd19 147026->147031 147277 684870 15 API calls 147030->147277 147276 684870 15 API calls 147031->147276 147032 62df96 147038 62e073 147032->147038 147039 62e049 147032->147039 147034->147022 147040 62da0b 147034->147040 147270 621d90 15 API calls 147034->147270 147271 621de0 20 API calls 147034->147271 147281 684870 15 API calls 147038->147281 147280 684870 15 API calls 147039->147280 147040->147026 147055 62dd3b 147040->147055 147274 621d90 15 API calls 147040->147274 147275 621de0 20 API calls 147040->147275 147044 62e9dd 147049 62ea38 InternetOpenA 147044->147049 147045 62e2c6 147047 62e3a3 147045->147047 147048 62e379 147045->147048 147285 684870 15 API calls 147047->147285 147284 684870 15 API calls 147048->147284 147082 62ea57 147049->147082 147053 62e5de 147056 62e6b5 147053->147056 147057 62e68b 147053->147057 147055->147032 147060 62e06b 147055->147060 147278 621d90 15 API calls 147055->147278 147279 621de0 20 API calls 147055->147279 147289 684870 15 API calls 147056->147289 147288 684870 15 API calls 147057->147288 147060->147045 147069 62e39b 147060->147069 147282 621d90 15 API calls 147060->147282 147283 621de0 20 API calls 147060->147283 147063 62f036 147068 62f074 FreeLibrary 147063->147068 147102 62f097 147063->147102 147064 62e9e5 147293 684870 15 API calls 147064->147293 147065 62e9bb 147292 684870 15 API calls 147065->147292 147066 62e908 147066->147064 147066->147065 147068->146705 147069->147053 147072 62e6ad 147069->147072 147286 621d90 15 API calls 147069->147286 147287 621de0 20 API calls 147069->147287 147072->147044 147072->147066 147290 621d90 15 API calls 147072->147290 147291 621de0 20 API calls 147072->147291 147074 62ec53 147075 62ed01 147074->147075 147076 62ed2b 147074->147076 147296 684870 15 API calls 147075->147296 147297 684870 15 API calls 147076->147297 147081 62ef66 147083 62f014 147081->147083 147084 62f03e 147081->147084 147082->147074 147091 62ed23 147082->147091 147294 621d90 15 API calls 147082->147294 147295 621de0 20 API calls 147082->147295 147300 684870 15 API calls 147083->147300 147301 684870 15 API calls 147084->147301 147089 62f2a5 147093 62f352 147089->147093 147094 62f37c 147089->147094 147090 62f698 std::runtime_error::runtime_error _strlen 147092 62f6f6 InternetOpenUrlA 147090->147092 147091->147063 147091->147081 147298 621d90 15 API calls 147091->147298 147299 621de0 20 API calls 147091->147299 147097 62f782 InternetReadFile 147092->147097 147098 62f734 FreeLibrary 147092->147098 147304 684870 15 API calls 147093->147304 147305 684870 15 API calls 147094->147305 147100 62f7b2 147097->147100 147101 62f7bb FreeLibrary 147097->147101 147105 62f75f 147098->147105 147100->147097 147100->147101 147106 634c60 std::ios_base::failure::failure 41 API calls 147100->147106 147116 62f82a std::ios_base::failure::failure 147101->147116 147102->147089 147114 62f374 147102->147114 147302 621d90 15 API calls 147102->147302 147303 621de0 20 API calls 147102->147303 147310 624120 39 API calls task 147105->147310 147106->147100 147107 62f5c9 147108 62f6a0 147107->147108 147109 62f676 147107->147109 147309 684870 15 API calls 147108->147309 147308 684870 15 API calls 147109->147308 147114->147090 147114->147107 147306 621d90 15 API calls 147114->147306 147307 621de0 20 API calls 147114->147307 147311 624120 39 API calls task 147116->147311 147118->146714 147119->146714 147120->146713 147121->146713 147122->146728 147123->146728 147124->146732 147125->146732 147126->146732 147127->146732 147128->146715 147129->146715 147130->146742 147131->146742 147132->146752 147133->146752 147134->146752 147135->146752 147136->146763 147137->146763 147138->146763 147139->146763 147140->146770 147141->146770 147142->146770 147143->146770 147144->146778 147145->146778 147146->146778 147147->146778 147148->146784 147149->146784 147150->146784 147151->146784 147152->146797 147153->146797 147154->146797 147155->146797 147156->146805 147157->146805 147158->146805 147159->146805 147160->146811 147161->146811 147162->146811 147163->146811 147164->146814 147165->146814 147166->146814 147167->146814 147168->146788 147169->146788 147170->146826 147171->146826 147172->146837 147173->146837 147174->146837 147175->146837 147176->146847 147177->146847 147178->146847 147179->146847 147180->146853 147181->146853 147182->146853 147183->146853 147184->146857 147185->146857 147186->146857 147187->146857 147188->146864 147189->146864 147190->146864 147191->146864 147192->146835 147193->146835 147194->146878 147195->146878 147196->146886 147197->146886 147198->146886 147199->146886 147200->146893 147201->146893 147202->146893 147203->146893 147204->146910 147205->146910 147206->146910 147207->146910 147208->146900 147209->146900 147210->146900 147211->146900 147212->146907 147213->146907 147214->146907 147215->146907 147216->146892 147217->146892 147218->146892 147219->146892 147220->146935 147221->146935 147222->146935 147223->146935 147224->146933 147225->146933 147226->146933 147227->146933 147228->146905 147229->146905 147230->146950 147231->146950 147232->146962 147233->146962 147234->146962 147235->146962 147236->146968 147237->146968 147238->146968 147239->146968 147240->146978 147241->146978 147242->146978 147243->146978 147244->146980 147245->146980 147246->146980 147247->146980 147248->146941 147249->146941 147250->146994 147251->146994 147252->147001 147253->147001 147254->147001 147255->147001 147256->147008 147257->147008 147258->147008 147259->147008 147260->147017 147261->147017 147262->147017 147263->147017 147264->147020 147265->147020 147266->147020 147267->147020 147268->147034 147269->147034 147270->147034 147271->147034 147272->147040 147273->147040 147274->147040 147275->147040 147276->147055 147277->147055 147278->147055 147279->147055 147280->147060 147281->147060 147282->147060 147283->147060 147284->147069 147285->147069 147286->147069 147287->147069 147288->147072 147289->147072 147290->147072 147291->147072 147292->147044 147293->147044 147294->147082 147295->147082 147296->147091 147297->147091 147298->147091 147299->147091 147300->147063 147301->147063 147302->147102 147303->147102 147304->147114 147305->147114 147306->147114 147307->147114 147308->147090 147309->147090 147310->146705 147311->146705 147312 62e6ee 147324 62e6fd 147312->147324 147313 62e9dd 147314 62ea38 InternetOpenA 147313->147314 147334 62ea57 147314->147334 147316 62f036 147321 62f074 FreeLibrary 147316->147321 147355 62f097 147316->147355 147317 62e9e5 147374 684870 15 API calls 147317->147374 147318 62e9bb 147373 684870 15 API calls 147318->147373 147319 62e908 147319->147317 147319->147318 147367 62f086 147321->147367 147324->147313 147324->147319 147371 621d90 15 API calls 147324->147371 147372 621de0 20 API calls 147324->147372 147326 62ec53 147327 62ed01 147326->147327 147328 62ed2b 147326->147328 147377 684870 15 API calls 147327->147377 147378 684870 15 API calls 147328->147378 147333 62ef66 147335 62f014 147333->147335 147336 62f03e 147333->147336 147334->147326 147343 62ed23 147334->147343 147375 621d90 15 API calls 147334->147375 147376 621de0 20 API calls 147334->147376 147381 684870 15 API calls 147335->147381 147382 684870 15 API calls 147336->147382 147341 62f2a5 147345 62f352 147341->147345 147346 62f37c 147341->147346 147342 62f698 std::runtime_error::runtime_error _strlen 147344 62f6f6 InternetOpenUrlA 147342->147344 147343->147316 147343->147333 147379 621d90 15 API calls 147343->147379 147380 621de0 20 API calls 147343->147380 147349 62f782 InternetReadFile 147344->147349 147350 62f734 FreeLibrary 147344->147350 147385 684870 15 API calls 147345->147385 147386 684870 15 API calls 147346->147386 147352 62f7b2 147349->147352 147353 62f7bb FreeLibrary 147349->147353 147358 62f75f 147350->147358 147352->147349 147352->147353 147359 634c60 std::ios_base::failure::failure 41 API calls 147352->147359 147369 62f82a std::ios_base::failure::failure 147353->147369 147354 62f5c9 147360 62f6a0 147354->147360 147361 62f676 147354->147361 147355->147341 147366 62f374 147355->147366 147383 621d90 15 API calls 147355->147383 147384 621de0 20 API calls 147355->147384 147391 624120 39 API calls task 147358->147391 147359->147352 147390 684870 15 API calls 147360->147390 147389 684870 15 API calls 147361->147389 147366->147342 147366->147354 147387 621d90 15 API calls 147366->147387 147388 621de0 20 API calls 147366->147388 147392 624120 39 API calls task 147369->147392 147371->147324 147372->147324 147373->147313 147374->147313 147375->147334 147376->147334 147377->147343 147378->147343 147379->147343 147380->147343 147381->147316 147382->147316 147383->147355 147384->147355 147385->147366 147386->147366 147387->147366 147388->147366 147389->147342 147390->147342 147391->147367 147392->147367

                                                                Executed Functions

                                                                Function 00625B80 Relevance: 36.0, APIs: 15, Strings: 1, Instructions: 7953COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d
                                                                • API String ID: 0-2564639436
                                                                • Opcode ID: b462eef3a288483f85185cf9b14fd7eff17df278ea32629153975a22d7e2361c
                                                                • Instruction ID: ea902cac9899be9779bc1e65e2e4d7699f8193a03145859f0d8874f8d93bcb19
                                                                • Opcode Fuzzy Hash: b462eef3a288483f85185cf9b14fd7eff17df278ea32629153975a22d7e2361c
                                                                • Instruction Fuzzy Hash: 18143471D04E29CACB62DF24EC916AEB776FF56344F1086C9E40A7A241EB319AD1CF41
                                                                Function 03444BA2 Relevance: 35.2, APIs: 13, Strings: 7, Instructions: 208windowCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2537 3444ba2-3444bb2 2538 3444e23-3444e26 2537->2538 2539 3444bb8-3444beb call 34446d4 2537->2539 2542 3444bf1-3444c00 call 34446d4 2539->2542 2543 3444e22 2539->2543 2542->2543 2546 3444c06-3444c5f KiUserCallbackDispatcher GetSystemMetrics call 3443576 * 4 GetDC 2542->2546 2543->2538 2555 3444c65-3444c72 GetCurrentObject 2546->2555 2556 3444e20-3444e21 2546->2556 2557 3444e17-3444e1a ReleaseDC 2555->2557 2558 3444c78-3444c89 GetObjectW 2555->2558 2556->2543 2557->2556 2558->2557 2559 3444c8f-3444d1e call 34435db DeleteObject CreateCompatibleDC 2558->2559 2559->2557 2562 3444d24-3444d3f CreateDIBSection 2559->2562 2563 3444d45-3444d4f SelectObject 2562->2563 2564 3444e10-3444e11 DeleteDC 2562->2564 2565 3444d55-3444d74 BitBlt 2563->2565 2566 3444e09-3444e0a DeleteObject 2563->2566 2564->2557 2565->2566 2567 3444d7a-3444d8c call 3443508 2565->2567 2566->2564 2567->2566 2570 3444d8e-3444df9 call 344354b * 3 call 3443d76 2567->2570 2578 3444dfe-3444e04 call 3443536 2570->2578 2578->2566
                                                                APIs
                                                                  • Part of subcall function 034446D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03444812), ref: 034446E6
                                                                  • Part of subcall function 034446D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03444812), ref: 034446F3
                                                                • KiUserCallbackDispatcher.NTDLL(0000004C), ref: 03444C13
                                                                • GetSystemMetrics.USER32(0000004D), ref: 03444C1A
                                                                • GetDC.USER32(00000000), ref: 03444C55
                                                                • GetCurrentObject.GDI32(00000000,00000007), ref: 03444C68
                                                                • GetObjectW.GDI32(00000000,00000018,?), ref: 03444C81
                                                                • DeleteObject.GDI32(00000000), ref: 03444CB3
                                                                • CreateCompatibleDC.GDI32(00000000), ref: 03444D14
                                                                • CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 03444D35
                                                                • SelectObject.GDI32(00000000,00000000), ref: 03444D47
                                                                • BitBlt.GDI32(00000000,00000000,00000000,?,03442468,00000000,?,?,00CC0020), ref: 03444D6C
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                  • Part of subcall function 03443D76: EnterCriticalSection.KERNEL32(034484D4,?,0000011C), ref: 03443D88
                                                                  • Part of subcall function 03443536: GetProcessHeap.KERNEL32(00000000,00000000,0344264F), ref: 0344353D
                                                                  • Part of subcall function 03443536: RtlFreeHeap.NTDLL(00000000), ref: 03443544
                                                                • DeleteObject.GDI32(00000000), ref: 03444E0A
                                                                • DeleteDC.GDI32(00000000), ref: 03444E11
                                                                • ReleaseDC.USER32(00000000,00000000), ref: 03444E1A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Object$HeapSection$CriticalDelete$CreateEnterProcess$AllocateCallbackCompatibleCurrentDispatcherFreeHandleLeaveLibraryLoadMetricsModuleReleaseSelectSystemUser
                                                                • String ID: ($- ScreenSize: {lWidth=%d, lHeight=%d}$2$6$U$er32$gdi3
                                                                • API String ID: 1387450592-1028866296
                                                                • Opcode ID: 4904db4dc555858756d5cd14e41fc212d64a8b817ee2bc400a9cd671f5826d06
                                                                • Instruction ID: 785e996daad42890a67d2200bbeef944487a3a3188d5a01e0fc13f368de78ba3
                                                                • Opcode Fuzzy Hash: 4904db4dc555858756d5cd14e41fc212d64a8b817ee2bc400a9cd671f5826d06
                                                                • Instruction Fuzzy Hash: AE719279D00308ABEB21EFA5DC45BEEBBB5EF44700F14406AE604BF290DB719A14CB59
                                                                Function 03441000 Relevance: 18.2, APIs: 4, Strings: 6, Instructions: 667fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2580 3441000-3441018 2581 3441412-3441418 2580->2581 2582 344101e-3441028 2580->2582 2582->2581 2583 344102e-3441037 call 344407d 2582->2583 2583->2581 2586 344103d-3441059 call 3443508 * 2 2583->2586 2591 3441404-344140d call 3443536 * 2 2586->2591 2592 344105f-3441061 2586->2592 2591->2581 2592->2591 2593 3441067-344116d call 3443600 FindFirstFileW 2592->2593 2599 34413d5-3441401 call 3443576 * 3 2593->2599 2600 3441173-3441192 call 344363b * 2 2593->2600 2599->2591 2609 3441198-34411b7 call 3443600 2600->2609 2610 34413ba 2600->2610 2616 34411bd-34411cf call 344372b 2609->2616 2617 3441769-3441770 2609->2617 2613 34413bd-34413cf FindNextFileW 2610->2613 2613->2599 2613->2600 2616->2617 2622 34411d5-34411e7 call 344372b 2616->2622 2617->2610 2619 3441776-3441794 call 344363b call 3443b60 2617->2619 2629 3441796-34417e3 call 3443508 call 3443600 call 3443eb6 2619->2629 2630 34417eb-34417f0 2619->2630 2622->2617 2628 34411ed-344120f call 344363b call 3443b60 2622->2628 2647 3441215-344121b 2628->2647 2648 344171e-3441749 call 34440ba 2628->2648 2629->2630 2631 34417f6-34417fb 2630->2631 2632 344199b-34419d2 call 3443600 call 3443eb6 2630->2632 2631->2632 2636 3441801-3441806 2631->2636 2650 34419d7-34419da 2632->2650 2636->2632 2642 344180c-3441811 2636->2642 2642->2632 2646 3441817-344181c 2642->2646 2646->2632 2651 3441822-3441827 2646->2651 2647->2648 2653 3441221-3441227 2647->2653 2659 344152d-3441534 call 3443536 2648->2659 2660 344174f-344175a call 344372b 2648->2660 2650->2613 2651->2632 2655 344182d-3441832 2651->2655 2653->2648 2657 344122d-3441233 2653->2657 2655->2632 2658 3441838-344183d 2655->2658 2657->2648 2661 3441239-344123f 2657->2661 2658->2632 2662 3441843-3441848 2658->2662 2659->2610 2660->2659 2672 3441760-3441762 2660->2672 2661->2648 2665 3441245-344124b 2661->2665 2662->2632 2666 344184e-3441853 2662->2666 2665->2648 2669 3441251-3441257 2665->2669 2666->2632 2670 3441859-344185e 2666->2670 2669->2648 2673 344125d-3441263 2669->2673 2670->2610 2671 3441864-3441878 call 344446c 2670->2671 2678 34414b4-34414be call 3443536 2671->2678 2679 344187e-3441883 2671->2679 2672->2617 2673->2648 2675 3441269-344126f 2673->2675 2675->2648 2677 3441275-344127b 2675->2677 2677->2648 2680 3441281-3441287 2677->2680 2678->2610 2679->2678 2682 3441889-34418a1 call 34436f1 2679->2682 2680->2648 2683 344128d-3441293 2680->2683 2682->2678 2689 34418a7-34418bf call 34436f1 2682->2689 2683->2648 2686 3441299-344129f 2683->2686 2686->2648 2688 34412a5-34412ab 2686->2688 2688->2648 2690 34412b1-34412b7 2688->2690 2689->2678 2696 34418c5-34418db call 344369c 2689->2696 2690->2648 2691 34412bd-34412c3 2690->2691 2691->2648 2693 34412c9-34412cf 2691->2693 2693->2648 2695 34412d5-34412db 2693->2695 2695->2648 2697 34412e1-34412e7 2695->2697 2696->2678 2702 34418e1-34418ed call 3443625 2696->2702 2697->2648 2699 34412ed-34412f3 2697->2699 2699->2648 2701 34412f9-34412ff 2699->2701 2701->2648 2703 3441305-344130b 2701->2703 2707 34418f3-3441906 call 3441a62 2702->2707 2708 34414ad-34414af call 3443536 2702->2708 2703->2648 2705 3441311-3441317 2703->2705 2705->2648 2709 344131d-3441323 2705->2709 2707->2708 2715 344190c-3441911 2707->2715 2708->2678 2709->2648 2712 3441329-344132f 2709->2712 2712->2648 2714 3441335-344133b 2712->2714 2714->2648 2716 3441341-3441347 2714->2716 2715->2708 2717 3441917-3441929 call 3441c94 2715->2717 2718 344168c-34416c1 call 34440ba 2716->2718 2719 344134d-3441353 2716->2719 2726 344198e-3441996 call 3443536 2717->2726 2727 344192b-3441974 call 3441ba5 call 3443600 call 3443d76 2717->2727 2718->2678 2728 34416c7-34416d2 call 344372b 2718->2728 2719->2718 2722 3441359-344135f 2719->2722 2722->2718 2725 3441365-344136b 2722->2725 2729 3441371-3441377 2725->2729 2730 3441662-3441687 EnterCriticalSection call 3444e27 LeaveCriticalSection 2725->2730 2726->2708 2764 3441979-344198b call 3443536 * 2 2727->2764 2728->2678 2746 34416d8-3441719 call 3443efc 2728->2746 2729->2730 2731 344137d-3441383 2729->2731 2730->2610 2736 3441419-344141f 2731->2736 2737 3441389-34413b4 call 3443efc 2731->2737 2743 3441425-3441447 call 34440ba 2736->2743 2744 34414c3-34414c9 2736->2744 2737->2610 2743->2678 2760 3441449-3441454 call 344372b 2743->2760 2749 3441539-344153f 2744->2749 2750 34414cb-34414ed call 34440ba 2744->2750 2746->2678 2753 3441576-344157c 2749->2753 2754 3441541-3441563 call 34440ba 2749->2754 2750->2659 2767 34414ef-34414fa call 344372b 2750->2767 2762 3441582-3441588 2753->2762 2763 344165b 2753->2763 2754->2659 2770 3441565-3441570 call 344372b 2754->2770 2760->2678 2780 3441456-34414a7 call 3443508 call 3443600 call 3443eb6 2760->2780 2762->2763 2768 344158e-3441594 2762->2768 2763->2730 2764->2726 2767->2659 2787 34414fc 2767->2787 2773 3441596-344159d 2768->2773 2774 34415a9-34415af 2768->2774 2770->2659 2790 3441572-3441574 2770->2790 2773->2774 2777 34415b1-34415b7 2774->2777 2778 34415e3-344160b call 34440ba 2774->2778 2777->2778 2783 34415b9-34415bf 2777->2783 2778->2659 2794 3441611-344161c call 344372b 2778->2794 2780->2708 2783->2778 2788 34415c1-34415c7 2783->2788 2792 34414fe-3441527 call 3443efc 2787->2792 2788->2778 2793 34415c9-34415cf 2788->2793 2790->2792 2792->2659 2793->2778 2797 34415d1-34415d8 call 3441000 2793->2797 2794->2659 2805 3441622-3441656 call 3443efc 2794->2805 2804 34415dd-34415de 2797->2804 2804->2610 2805->2659
                                                                APIs
                                                                • FindNextFileW.KERNELBASE(?,?), ref: 034413C7
                                                                  • Part of subcall function 0344407D: GetFileAttributesW.KERNELBASE(00BFF5F8,03441035,00BFF5F8,?), ref: 0344407E
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • FindFirstFileW.KERNELBASE(00000000,?,00BFF5F8,?), ref: 03441161
                                                                  • Part of subcall function 03443EFC: FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03443F5D
                                                                  • Part of subcall function 03443EFC: FindNextFileW.KERNEL32(03441710,?), ref: 03443FFE
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 03441668
                                                                • LeaveCriticalSection.KERNEL32(034484D4), ref: 03441681
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CriticalFindSection$EnterFirstHeapLeaveNext$AllocateAttributesProcess
                                                                • String ID: $Lr$%s%s$%s\%s$%s\*$7a?=$Telegram
                                                                • API String ID: 1893179121-1537637304
                                                                • Opcode ID: 9fad38dca3eef247c92e3c3fb0e6c2c22eb794a474e6a725f4b29eac8d1cd66e
                                                                • Instruction ID: e49589cb781571864deec40df231516a869f119f944424a001506fed0b76e76e
                                                                • Opcode Fuzzy Hash: 9fad38dca3eef247c92e3c3fb0e6c2c22eb794a474e6a725f4b29eac8d1cd66e
                                                                • Instruction Fuzzy Hash: A132E265E003245AFB25EBA59880BFEB3B5AF44610F18407BD815AF390EF748DC5CB99
                                                                Function 03442054 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 134COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2857 3442054-34420a5 call 3443508 2860 34420a7-34420c6 2857->2860 2861 3442103-3442115 GetCurrentHwProfileA 2857->2861 2864 34420ce-34420d4 2860->2864 2865 34420c8-34420cc 2860->2865 2862 3442117-344212a call 34435db 2861->2862 2863 344212d-344219e GetSystemInfo call 34435db call 3443536 GlobalMemoryStatusEx call 34435db 2861->2863 2862->2863 2881 34421db-34421ec EnumDisplayDevicesA 2863->2881 2869 34420d6-34420dd 2864->2869 2870 34420df-34420e5 2864->2870 2868 34420ee-34420f9 call 344354b 2865->2868 2872 34420fc-3442101 2868->2872 2869->2868 2871 34420e7-34420eb 2870->2871 2870->2872 2871->2868 2872->2860 2872->2861 2882 34421a0-34421a9 2881->2882 2883 34421ee-34421f4 2881->2883 2884 34421ca-34421da 2882->2884 2885 34421ab-34421c7 call 34435db 2882->2885 2884->2881 2885->2884
                                                                APIs
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • GetCurrentHwProfileA.ADVAPI32(?), ref: 0344210B
                                                                • GetSystemInfo.KERNELBASE(?,?,0000011C), ref: 03442132
                                                                • GlobalMemoryStatusEx.KERNELBASE(?), ref: 03442166
                                                                • EnumDisplayDevicesA.USER32(00000000,00000002,?,00000001), ref: 034421E8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalHeapSection$AllocateCurrentDevicesDisplayEnterEnumGlobalInfoLeaveMemoryProcessProfileStatusSystem
                                                                • String ID: - CPU: %s (%d cores)$- HWID: %s$- RAM: %d GB$- VideoAdapter #%d: %s$@
                                                                • API String ID: 330852582-565344305
                                                                • Opcode ID: 7383d08ef0cf3715e2f0962c47e79bc878f528e1200ebcffc3a488f9c266c8fc
                                                                • Instruction ID: 1949ee1357000da1453cab059d80ee6b3c975cc23a70f4a91299e6b0211df51e
                                                                • Opcode Fuzzy Hash: 7383d08ef0cf3715e2f0962c47e79bc878f528e1200ebcffc3a488f9c266c8fc
                                                                • Instruction Fuzzy Hash: 4E41D2756043059FE321DF14C881BABBBE8EB84710F04493EF9999F241E770D945CBA6
                                                                Function 03444E27 Relevance: 12.5, APIs: 4, Strings: 3, Instructions: 286fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2888 3444e27-3444e47 2889 3444e98-3444ed9 call 3443508 * 2 call 3443600 FindFirstFileW 2888->2889 2890 3444e49-3444e8c call 3443600 call 344407d 2888->2890 2903 3445183-3445192 call 3443536 * 2 2889->2903 2904 3444edf-3444ef9 call 3443600 2889->2904 2899 3444e92 2890->2899 2900 3445198-344519e 2890->2900 2899->2889 2903->2900 2909 3444fb1-3444fc7 call 344363b 2904->2909 2910 3444eff-3444f06 2904->2910 2914 344516b-344517d FindNextFileW 2909->2914 2919 3444fcd-34450ab call 3443600 call 3443eb6 call 344363b call 3443600 call 344407d 2909->2919 2913 3444f0c-3444f1e call 344372b 2910->2913 2910->2914 2913->2914 2920 3444f24-3444f36 call 344372b 2913->2920 2914->2903 2914->2904 2919->2914 2943 34450b1-3445165 call 344363b call 3443600 call 3443eb6 2919->2943 2920->2914 2926 3444f3c-3444f5b call 344363b call 3443b60 2920->2926 2937 3444f84-3444fac EnterCriticalSection call 3444e27 LeaveCriticalSection 2926->2937 2938 3444f5d-3444f62 2926->2938 2937->2914 2938->2937 2941 3444f64-3444f6b 2938->2941 2941->2914 2942 3444f71-3444f79 call 3444e27 2941->2942 2947 3444f7e-3444f7f 2942->2947 2949 344516a 2943->2949 2947->2949 2949->2914
                                                                APIs
                                                                • FindFirstFileW.KERNELBASE(00000000,?,00000000,034484D4,?), ref: 03444ECD
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 03444F89
                                                                  • Part of subcall function 03444E27: LeaveCriticalSection.KERNEL32(034484D4), ref: 03444FA6
                                                                • FindNextFileW.KERNELBASE(?,?), ref: 03445175
                                                                  • Part of subcall function 0344407D: GetFileAttributesW.KERNELBASE(00BFF5F8,03441035,00BFF5F8,?), ref: 0344407E
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CriticalFindSection$AttributesEnterFirstLeaveNext
                                                                • String ID: %s\%s$%s\*$Telegram
                                                                • API String ID: 648860119-4994844
                                                                • Opcode ID: 1e534c29d77b16996e817c17b55de58ce3fc1052f450bef9a199453a51142a29
                                                                • Instruction ID: 7820ed0dd8640203e912cce63a9da564da306cf1016721173f8f8a723722f287
                                                                • Opcode Fuzzy Hash: 1e534c29d77b16996e817c17b55de58ce3fc1052f450bef9a199453a51142a29
                                                                • Instruction Fuzzy Hash: 9FA18329E14348AAFF10EBA0E845BBEB775EF44710F20546FE504EF2A0EBB14A45875D
                                                                Function 03441D3C Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139fileCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5796 3441d3c-3441d4e 5797 3441d54-3441d5e 5796->5797 5798 3441f25-3441f2a 5796->5798 5797->5798 5799 3441d64-3441d8e call 3443600 FindFirstFileW 5797->5799 5799->5798 5802 3441d94-3441dd8 call 3443508 call 344363b 5799->5802 5807 3441ddd-3441e02 call 344363b * 2 5802->5807 5812 3441f01-3441f0f FindNextFileW 5807->5812 5813 3441e08-3441e21 call 3443600 5807->5813 5815 3441f11-3441f17 5812->5815 5816 3441f1c-3441f20 call 3443536 5812->5816 5819 3441e54-3441e59 5813->5819 5820 3441e23-3441e33 call 344372b 5813->5820 5815->5807 5816->5798 5821 3441ef2-3441efd 5819->5821 5822 3441e5f-3441e69 5819->5822 5820->5819 5827 3441e35-3441e45 call 344372b 5820->5827 5821->5812 5822->5821 5824 3441e6f-3441e7c call 344408d 5822->5824 5830 3441e7e-3441e95 call 344363b call 3443b60 5824->5830 5831 3441eeb-3441eed call 3443536 5824->5831 5827->5819 5835 3441e47-3441e4a call 3441d3c 5827->5835 5841 3441e97-3441e9c 5830->5841 5842 3441eac-3441edc call 3443600 call 3443eb6 5830->5842 5831->5821 5839 3441e4f 5835->5839 5839->5821 5841->5842 5843 3441e9e-3441ea3 5841->5843 5848 3441ee1-3441ee4 5842->5848 5843->5842 5845 3441ea5-3441eaa 5843->5845 5845->5831 5845->5842 5848->5831
                                                                APIs
                                                                • FindFirstFileW.KERNELBASE(?), ref: 03441D83
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • FindNextFileW.KERNELBASE(00000000,?), ref: 03441F07
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalFileFindHeapSection$AllocateEnterFirstLeaveNextProcess
                                                                • String ID: %s%s$%s\%s$%s\*
                                                                • API String ID: 3555643018-2064654797
                                                                • Opcode ID: 636088c5013db3d09516b4ab225070b38bae38119bebdf6b26796bb264410b84
                                                                • Instruction ID: 9e565bdd807766da2c9fdb8ec00fd9663fd9e756de9e3eedbbb0233c260e79cb
                                                                • Opcode Fuzzy Hash: 636088c5013db3d09516b4ab225070b38bae38119bebdf6b26796bb264410b84
                                                                • Instruction Fuzzy Hash: D941D47D6043418FE724EF25D840A6EB7E8AF84600F14493FE955CF2A1EB31D956874E
                                                                Function 03441C94 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69encryptionCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5965 3441c94-3441ccf call 34446d4 5968 3441cd1-3441cf8 call 3443576 CryptUnprotectData 5965->5968 5969 3441d2f-3441d3b 5965->5969 5972 3441d05-3441d0a 5968->5972 5973 3441cfa-3441d03 5968->5973 5972->5969 5974 3441d0c-3441d29 CryptProtectData 5972->5974 5973->5969 5974->5969
                                                                APIs
                                                                  • Part of subcall function 034446D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03444812), ref: 034446E6
                                                                  • Part of subcall function 034446D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03444812), ref: 034446F3
                                                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?,00000000), ref: 03441CF3
                                                                • CryptProtectData.CRYPT32(?,?,00000000,00000000,00000000,00000000,?), ref: 03441D29
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CryptData$HandleLibraryLoadModuleProtectUnprotect
                                                                • String ID: CRYPT32.dll$Poverty is the parent of crime.
                                                                • API String ID: 3642467563-1885057629
                                                                • Opcode ID: b1e929b5754bdb23646486b211b98db687f30516423f24faba177d5c6c856dfa
                                                                • Instruction ID: 332eab0fee82b7eb0c3eb08fffe65a8d9f7766e45c8ffecdb38218388257e948
                                                                • Opcode Fuzzy Hash: b1e929b5754bdb23646486b211b98db687f30516423f24faba177d5c6c856dfa
                                                                • Instruction Fuzzy Hash: 3A114DB5D0020CABEB10DF95C8808EFFBBDEB48210F14456AE915B7240E770AE45CBA4
                                                                Function 034421F5 Relevance: 38.8, APIs: 13, Strings: 9, Instructions: 304synchronizationCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 0 34421f5-3442212 InitializeCriticalSectionAndSpinCount 1 3442214 0->1 2 3442219-344222f CreateMutexA 0->2 3 3442680 1->3 4 3442235-3442240 GetLastError 2->4 5 3442678-344267a ExitProcess 2->5 4->5 6 3442246-3442255 call 3443bd2 4->6 9 344264f-344266f DeleteCriticalSection 6->9 10 344225b-3442285 call 3443576 call 34447e6 6->10 9->5 15 3442647-344264a call 3443536 10->15 16 344228b-34422d0 call 34435db call 344484b 10->16 15->9 16->15 22 34422d6-344230a call 3443508 * 3 16->22 29 3442310-3442317 22->29 30 34425df-344262e call 3443d76 call 3443536 * 4 call 3443bfb 22->30 29->30 32 344231d-3442324 29->32 60 3442631-3442637 call 344536d 30->60 32->30 34 344232a-3442366 call 34446d4 32->34 34->30 40 344236c-3442381 call 3441f2d 34->40 45 34423c1-34423db 40->45 46 3442383-34423ba call 34446d4 40->46 54 34423e5-3442410 call 344363b 45->54 55 34423dd-34423df ExitProcess 45->55 46->45 53 34423bc 46->53 53->3 65 3442412-3442414 ExitProcess 54->65 66 344241a-3442445 call 344363b 54->66 62 344263c-3442643 60->62 62->15 64 3442645 62->64 64->60 70 3442447-3442449 ExitProcess 66->70 71 344244f-34424bd call 344363b call 3444ba2 CreateThread * 2 WaitForMultipleObjects call 34419df call 3442054 66->71 80 34424c7-34424ce 71->80 81 34424d0-34424d9 80->81 82 3442501-344251d ObtainUserAgentString 80->82 83 34424ff 81->83 84 34424db-34424f5 81->84 85 3442535-34425a0 call 3445239 * 6 call 3443508 82->85 86 344251f-3442532 call 34435db 82->86 83->80 84->83 104 34425b2-34425da call 344363b call 3445239 * 2 call 3443536 85->104 105 34425a2-34425ac GetModuleFileNameW 85->105 86->85 104->30 105->104
                                                                APIs
                                                                • InitializeCriticalSectionAndSpinCount.KERNEL32(034484D4,00000DA3), ref: 0344220A
                                                                • CreateMutexA.KERNELBASE(00000000,00000000,1e7f31ac-1494-47cc-9633-054c20e7432e), ref: 03442222
                                                                • GetLastError.KERNEL32 ref: 03442235
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CountCreateCriticalErrorInitializeLastMutexSectionSpin
                                                                • String ID: $$$d.log$- OperationSystem: %d:%d:%d$- UserAgent: %s$1e7f31ac-1494-47cc-9633-054c20e7432e$@$kernel32$shell32$systemd
                                                                • API String ID: 2005177960-3436640841
                                                                • Opcode ID: f98b878b84c4a648497fd0a69c7f539a229cce98bb6bcc91020ce7598a1d3b16
                                                                • Instruction ID: f15442dc65476a1064e3a9610bd36f2da0f73e939fb118cfc38c5a591d70190a
                                                                • Opcode Fuzzy Hash: f98b878b84c4a648497fd0a69c7f539a229cce98bb6bcc91020ce7598a1d3b16
                                                                • Instruction Fuzzy Hash: 69C1D538904344AFFB11FFA1EC45BAD7BB5AB05700F0444BAE211BE2D1DBB65A45CB29
                                                                Function 0344446C Relevance: 16.7, APIs: 8, Strings: 3, Instructions: 179COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                  • Part of subcall function 0344407D: GetFileAttributesW.KERNELBASE(00BFF5F8,03441035,00BFF5F8,?), ref: 0344407E
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 034444F5
                                                                • LeaveCriticalSection.KERNEL32(034484D4), ref: 03444541
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 034445C4
                                                                • LeaveCriticalSection.KERNEL32(034484D4), ref: 034445FD
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 0344463A
                                                                • LeaveCriticalSection.KERNEL32(034484D4), ref: 0344467D
                                                                • EnterCriticalSection.KERNEL32(034484D4), ref: 03444696
                                                                • LeaveCriticalSection.KERNEL32(034484D4), ref: 034446BF
                                                                  • Part of subcall function 034442EC: GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,03444574), ref: 03444305
                                                                  • Part of subcall function 034442EC: GetProcAddress.KERNEL32(00000000), ref: 0344430E
                                                                  • Part of subcall function 034442EC: GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03444574), ref: 0344431F
                                                                  • Part of subcall function 034442EC: GetProcAddress.KERNEL32(00000000), ref: 03444322
                                                                  • Part of subcall function 034442EC: OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03444574), ref: 034443A4
                                                                  • Part of subcall function 034442EC: GetCurrentProcess.KERNEL32(03444574,00000000,00000000,00000002,?,?,?,?,03444574), ref: 034443C0
                                                                  • Part of subcall function 034442EC: DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03444574), ref: 034443CF
                                                                  • Part of subcall function 034442EC: CloseHandle.KERNEL32(03444574,?,?,?,?,03444574), ref: 034443FF
                                                                  • Part of subcall function 03443536: GetProcessHeap.KERNEL32(00000000,00000000,0344264F), ref: 0344353D
                                                                  • Part of subcall function 03443536: RtlFreeHeap.NTDLL(00000000), ref: 03443544
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalSection$EnterLeave$HandleHeapProcess$AddressModuleProc$AllocateAttributesCloseCurrentDuplicateFileFreeOpen
                                                                • String ID: @$\??\%s$\Network\Cookies
                                                                • API String ID: 330363434-2791195959
                                                                • Opcode ID: ac117bb108696988d96abd0c7520387759513f64094f46c36bc12bd7213c97e8
                                                                • Instruction ID: 23129ab2123b388a0bd121462d92908f63e97accaa646a5316e396ae83acf026
                                                                • Opcode Fuzzy Hash: ac117bb108696988d96abd0c7520387759513f64094f46c36bc12bd7213c97e8
                                                                • Instruction Fuzzy Hash: C5719F79940208AFFB54EF91D849BEDBBB5FB44704F10803AF601AE2D0EB759A46CB14
                                                                Function 0344536D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 138networkCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 2953 344536d-34453f6 call 34446d4 2956 34453ff-3445457 2953->2956 2957 34453f8-34453fa 2953->2957 2960 344545d-344548b call 3445361 socket 2956->2960 2961 344553b 2956->2961 2958 344553e-3445541 2957->2958 2964 3445531-3445534 2960->2964 2965 3445491-34454a8 call 34452cf call 3443576 2960->2965 2961->2958 2964->2961 2970 34454a9-34454af 2965->2970 2971 3445524-344552a 2970->2971 2972 34454b1-34454c6 connect 2970->2972 2971->2964 2973 3445517-3445522 Sleep 2972->2973 2974 34454c8-34454e8 send 2972->2974 2973->2970 2974->2973 2975 34454ea-3445504 send 2974->2975 2975->2973 2976 3445506-3445515 call 3443536 2975->2976 2976->2971
                                                                APIs
                                                                  • Part of subcall function 034446D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03444812), ref: 034446E6
                                                                  • Part of subcall function 034446D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03444812), ref: 034446F3
                                                                • socket.WS2_32(?,00000001,00000000), ref: 03445480
                                                                • connect.WS2_32(000000FF,?,00000010), ref: 034454BF
                                                                • send.WS2_32(000000FF,00000000,00000000), ref: 034454E1
                                                                • send.WS2_32(000000FF,000000FF,00000037,00000000), ref: 034454FD
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: send$HandleLibraryLoadModuleconnectsocket
                                                                • String ID: 146.70.169.164$ws2_32.dll
                                                                • API String ID: 2781119014-4085977579
                                                                • Opcode ID: f30f58e818585029800c48bdace9dae7dce35dbd41f026dece3975250792b209
                                                                • Instruction ID: 63e75876fd3e14527e719fe783686fd0b1c632b3a53cdafd5caa980959826577
                                                                • Opcode Fuzzy Hash: f30f58e818585029800c48bdace9dae7dce35dbd41f026dece3975250792b209
                                                                • Instruction Fuzzy Hash: 69518030C04289EEFF12CBE8D8097EDBFB89F16314F14409AE660AE2C1C7B54646CB65
                                                                Function 0062F990 Relevance: 11.6, APIs: 4, Strings: 1, Instructions: 2890COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d
                                                                • API String ID: 0-2564639436
                                                                • Opcode ID: 4e4eeba9e5d38a8c2f2cdbc93f440d2573b0a763e8fd8e6f921f160aea9f01f6
                                                                • Instruction ID: 0f8f24e50041655d7d28981a64dd41b0c4442c02d52c3a470d81dde5287c048c
                                                                • Opcode Fuzzy Hash: 4e4eeba9e5d38a8c2f2cdbc93f440d2573b0a763e8fd8e6f921f160aea9f01f6
                                                                • Instruction Fuzzy Hash: E7632570C04A28CADB26DF64D9916EEF776FF56344F1082CAD40A3A241EB319AD5DF84
                                                                Function 00633FE0 Relevance: 11.2, APIs: 5, Strings: 1, Instructions: 705COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 3853 633fe0-634015 3855 6342a1-6342b9 3853->3855 3856 63401b-634022 3853->3856 3861 634554-63456c 3855->3861 3862 6342bf-6342c9 3855->3862 3857 63402d-634033 3856->3857 3859 6340e4-6340eb 3857->3859 3860 634039-634050 3857->3860 3865 6340f6-6340fc 3859->3865 3863 63405b-634061 3860->3863 3871 634572-634579 3861->3871 3872 6347f8-634810 3861->3872 3864 6342da-6342e3 3862->3864 3867 634063-6340cb call 621dc0 call 621cc0 3863->3867 3868 6340cd-6340df 3863->3868 3869 634397-63439e 3864->3869 3870 6342e9-634300 3864->3870 3873 634102-634109 3865->3873 3874 6341c0-6341c7 3865->3874 3867->3863 3868->3857 3879 6343a9-6343af 3869->3879 3878 63430b-634311 3870->3878 3880 634584-63458a 3871->3880 3894 634a36-634a3d 3872->3894 3895 634816-63481d 3872->3895 3881 634114-63411a 3873->3881 3875 6341d2-6341d8 3874->3875 3883 634236-63423f 3875->3883 3884 6341da-6341e1 3875->3884 3886 634313-63437e call 621dc0 call 621cc0 3878->3886 3887 634380-634392 3878->3887 3888 634473-63447a 3879->3888 3889 6343b5-6343bc 3879->3889 3890 634590-6345a7 3880->3890 3891 63463b-634642 3880->3891 3892 634120-6341b6 call 621d90 call 621de0 call 621d10 3881->3892 3893 6341bb 3881->3893 3904 634241-634245 3883->3904 3905 634246-634248 3883->3905 3900 6341ec-6341f2 3884->3900 3886->3878 3887->3864 3906 634485-63448b 3888->3906 3903 6343c7-6343cd 3889->3903 3908 6345b2-6345b8 3890->3908 3907 63464d-634653 3891->3907 3892->3881 3893->3865 3897 634a43-634ba4 call 624c60 call 6245b0 call 624a60 call 624550 GetModuleHandleA GetProcAddress call 624e20 call 624670 call 624ff0 call 624670 call 6251b0 call 624670 call 625370 call 624690 call 625530 call 624690 call 625610 call 6246b0 call 6256f0 call 6246b0 call 680910 VirtualProtect * 2 call 680910 VirtualProtect 3894->3897 3898 634bae-634bb1 3894->3898 3910 634828-63482e 3895->3910 3897->3898 3913 634234 3900->3913 3914 6341f4-634232 call 621e00 3900->3914 3916 6343d3-634469 call 621d90 call 621de0 call 621d10 3903->3916 3917 63446e 3903->3917 3904->3905 3918 634274-634299 call 684870 3905->3918 3919 63424a-634272 call 684870 3905->3919 3920 6344e9-6344f2 3906->3920 3921 63448d-634494 3906->3921 3922 634717-63471e 3907->3922 3923 634659-634660 3907->3923 3924 634624-634636 3908->3924 3925 6345ba-634622 call 621dc0 call 621cc0 3908->3925 3927 634834-63484b 3910->3927 3928 6348df-6348e6 3910->3928 3913->3875 3914->3900 3916->3903 3917->3879 3982 63429c 3918->3982 3919->3982 3945 6344f4-6344f8 3920->3945 3946 6344f9-6344fb 3920->3946 3941 63449f-6344a5 3921->3941 3930 634729-63472f 3922->3930 3942 63466b-634671 3923->3942 3924->3880 3925->3908 3947 634856-63485c 3927->3947 3932 6348f1-6348f7 3928->3932 3953 634731-634738 3930->3953 3954 63478d-634796 3930->3954 3955 6349bb-6349c2 3932->3955 3956 6348fd-634904 3932->3956 3962 6344e7 3941->3962 3963 6344a7-6344e5 call 621e00 3941->3963 3964 634712 3942->3964 3965 634677-63470d call 621d90 call 621de0 call 621d10 3942->3965 3945->3946 3948 634527-63454c call 684870 3946->3948 3949 6344fd-634525 call 684870 3946->3949 3950 6348c8-6348da 3947->3950 3951 63485e-6348c6 call 621dc0 call 621cc0 3947->3951 4008 63454f 3948->4008 3949->4008 3950->3910 3951->3947 3975 634743-634749 3953->3975 3980 634798-63479c 3954->3980 3981 63479d-63479f 3954->3981 3983 6349cd-6349d3 3955->3983 3976 63490f-634915 3956->3976 3962->3906 3963->3941 3964->3907 3965->3942 3994 63478b 3975->3994 3995 63474b-634789 call 621e00 3975->3995 3996 6349b6 3976->3996 3997 63491b-6349b1 call 621d90 call 621de0 call 621d10 3976->3997 3980->3981 3999 6347a1-6347c9 call 684870 3981->3999 4000 6347cb-6347f0 call 684870 3981->4000 3982->3855 4001 634a31 3983->4001 4002 6349d5-6349dc 3983->4002 3994->3930 3995->3975 3996->3932 3997->3976 4037 6347f3 3999->4037 4000->4037 4001->3894 4018 6349e7-6349ed 4002->4018 4008->3861 4028 634a2f 4018->4028 4029 6349ef-634a2d call 621e00 4018->4029 4028->3983 4029->4018 4037->3872
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d
                                                                • API String ID: 0-2564639436
                                                                • Opcode ID: fa03396db123f429e360392cc08b069a9df397cdfa540ec42a15b12e37b2366f
                                                                • Instruction ID: 6dfe0d88b8df44a28f548b9e8d0f461231206d4db955b7663e201a93825f735c
                                                                • Opcode Fuzzy Hash: fa03396db123f429e360392cc08b069a9df397cdfa540ec42a15b12e37b2366f
                                                                • Instruction Fuzzy Hash: CA723771D04A1CCACB15DFA8D8916EEF776FF56344F108689E40A7A241EF31AA91CF84
                                                                Function 006359F0 Relevance: 10.0, APIs: 2, Strings: 1, Instructions: 5515COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID: d
                                                                • API String ID: 0-2564639436
                                                                • Opcode ID: 08afe77582cf70d56da02a80c52713a9a8cbc504d19ddc081c256ec9876debbd
                                                                • Instruction ID: f806f072d9420fa04576f068eae08cfc07cae05160155a85b4e7bb6abc64f825
                                                                • Opcode Fuzzy Hash: 08afe77582cf70d56da02a80c52713a9a8cbc504d19ddc081c256ec9876debbd
                                                                • Instruction Fuzzy Hash: F4D34771C04A2CCACB26DF64D9916ADF776FF56344F1082CAE40A3A241EB319AD1DF85
                                                                Function 0344484B Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 231memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5731 344484b-344485a 5732 3444b90 5731->5732 5733 3444860-3444879 VirtualAlloc 5731->5733 5734 3444b96-3444b99 5732->5734 5733->5732 5735 344487f-34448a3 call 34446d4 5733->5735 5736 3444b9c-3444ba1 5734->5736 5739 3444b8c-3444b8e 5735->5739 5740 34448a9-34448be call 344354b 5735->5740 5739->5736 5743 34448c0-34448c7 5740->5743 5744 34448d2-34448d5 5743->5744 5745 34448c9-34448ce 5743->5745 5747 34448d9-3444900 GetCurrentProcess IsWow64Process call 3445239 5744->5747 5745->5743 5746 34448d0 5745->5746 5746->5747 5750 3444906-344490b 5747->5750 5751 3444990-3444993 5747->5751 5752 344492c-3444931 5750->5752 5753 344490d-344491d 5750->5753 5754 3444995-3444998 5751->5754 5755 34449e0-34449e3 5751->5755 5759 3444971-3444974 5752->5759 5760 3444933-3444938 5752->5760 5756 344491f-3444927 5753->5756 5761 34449b8-34449bc 5754->5761 5762 344499a-34449b6 5754->5762 5757 3444a8e-3444a94 5755->5757 5758 34449e9-34449ee 5755->5758 5763 3444a32-3444a3f 5756->5763 5770 3444b2f-3444b32 5757->5770 5771 3444a9a-3444aa0 5757->5771 5765 3444a10-3444a12 5758->5765 5766 34449f0-3444a0e 5758->5766 5768 3444976-3444979 5759->5768 5769 344497f-344498e 5759->5769 5760->5753 5767 344493a-344493c 5760->5767 5761->5732 5764 34449c2-34449de 5761->5764 5762->5763 5763->5734 5764->5763 5772 3444a44-3444a47 5765->5772 5773 3444a14-3444a2d 5765->5773 5766->5763 5767->5753 5774 344493e-3444941 5767->5774 5768->5732 5768->5769 5769->5756 5770->5732 5775 3444b34-3444b55 5770->5775 5776 3444ac0-3444ac6 5771->5776 5777 3444aa2-3444abb 5771->5777 5784 3444a67-3444a6a 5772->5784 5785 3444a49-3444a62 5772->5785 5773->5763 5780 3444957-344495a 5774->5780 5781 3444943-3444955 5774->5781 5782 3444b77 5775->5782 5783 3444b57-3444b5d 5775->5783 5778 3444ae6-3444aec 5776->5778 5779 3444ac8-3444ae1 5776->5779 5777->5734 5786 3444b0c-3444b12 5778->5786 5787 3444aee-3444b07 5778->5787 5779->5734 5780->5732 5789 3444960-344496f 5780->5789 5781->5756 5791 3444b7c-3444b83 5782->5791 5783->5782 5788 3444b5f-3444b65 5783->5788 5784->5732 5790 3444a70-3444a89 5784->5790 5785->5734 5786->5775 5792 3444b14-3444b2d 5786->5792 5787->5734 5788->5782 5793 3444b67-3444b6d 5788->5793 5789->5756 5790->5734 5791->5734 5792->5734 5793->5782 5794 3444b6f-3444b75 5793->5794 5794->5782 5795 3444b85-3444b8a 5794->5795 5795->5791
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,00000020,00003000,00000040,0000011C,?,?,?,?,?,034422C4), ref: 0344486C
                                                                  • Part of subcall function 034446D4: GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03444812), ref: 034446E6
                                                                  • Part of subcall function 034446D4: LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03444812), ref: 034446F3
                                                                • GetCurrentProcess.KERNEL32(034422C4), ref: 034448E0
                                                                • IsWow64Process.KERNEL32(00000000), ref: 034448E7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Process$AllocCurrentHandleLibraryLoadModuleVirtualWow64
                                                                • String ID: l$ntdl
                                                                • API String ID: 1207166019-924918826
                                                                • Opcode ID: f2a8d8c539630f8a2e5c1acc2dcabc7fcd7181944467ad78a1c9e5c22077d824
                                                                • Instruction ID: 1c499bf6155eedd54b8862c7f71f09af9dd87c7142398e3ec79929846ba0ddc9
                                                                • Opcode Fuzzy Hash: f2a8d8c539630f8a2e5c1acc2dcabc7fcd7181944467ad78a1c9e5c22077d824
                                                                • Instruction Fuzzy Hash: FD81AF356083409AFB24EB55F856B7A33A8FB10714F15067BE209AF3C9E7B5C5458B0E
                                                                Function 0067FCA5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5849 67fca5-67fcbd call 687e88 5852 67fcd0-67fd06 call 687e5d call 67ffb3 call 680489 5849->5852 5853 67fcbf-67fccb 5849->5853 5862 67fd23-67fd2c call 68048f 5852->5862 5863 67fd08-67fd11 call 67ff1f 5852->5863 5854 67fdb9-67fdc8 5853->5854 5869 67fd41-67fd56 call 6805aa call 687e0a call 63cf50 5862->5869 5870 67fd2e-67fd37 call 67ff1f 5862->5870 5863->5862 5868 67fd13-67fd21 5863->5868 5868->5862 5882 67fd5b-67fd64 call 6805e0 5869->5882 5870->5869 5877 67fd39-67fd40 call 688191 5870->5877 5877->5869 5885 67fd66-67fd68 5882->5885 5886 67fdd0-67fdde call 6881b7 call 68817b 5882->5886 5888 67fd6f-67fd82 call 67ffd0 5885->5888 5889 67fd6a call 68816c 5885->5889 5888->5854 5889->5888
                                                                APIs
                                                                • ___scrt_release_startup_lock.LIBCMT ref: 0067FCF5
                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0067FD09
                                                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 0067FD2F
                                                                • ___scrt_uninitialize_crt.LIBCMT ref: 0067FD72
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ___scrt_is_nonwritable_in_current_image$___scrt_release_startup_lock___scrt_uninitialize_crt
                                                                • String ID: VPWh
                                                                • API String ID: 3089971210-353207083
                                                                • Opcode ID: 02e339abdcdd0138fb998d61b62a82d9a67e66befb6e9195ca214ab641800621
                                                                • Instruction ID: f08505d519c5a0862f962733caa906fd8a913277818e22f92a877180c77514f8
                                                                • Opcode Fuzzy Hash: 02e339abdcdd0138fb998d61b62a82d9a67e66befb6e9195ca214ab641800621
                                                                • Instruction Fuzzy Hash: B9213E325443119ADB717B746C0BE9E6797DF42760F30463DF588276D2DF254C0197A8
                                                                Function 0068EDE2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 197COMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5896 68ede2-68edfb 5897 68edfd-68ee0d call 6871fa 5896->5897 5898 68ee11-68ee16 5896->5898 5897->5898 5905 68ee0f 5897->5905 5900 68ee18-68ee20 5898->5900 5901 68ee23-68ee49 call 691e03 5898->5901 5900->5901 5906 68efbf-68efd0 call 68003d 5901->5906 5907 68ee4f-68ee5a 5901->5907 5905->5898 5908 68ee60-68ee65 5907->5908 5909 68efb2 5907->5909 5911 68ee7e-68ee89 call 68ac15 5908->5911 5912 68ee67-68ee70 call 680110 5908->5912 5913 68efb4 5909->5913 5911->5913 5923 68ee8f 5911->5923 5912->5913 5921 68ee76-68ee7c 5912->5921 5916 68efb6-68efbd call 67faaa 5913->5916 5916->5906 5924 68ee95-68ee9a 5921->5924 5923->5924 5924->5913 5925 68eea0-68eeb5 call 691e03 5924->5925 5925->5913 5928 68eebb-68eecd call 68e1d3 5925->5928 5930 68eed2-68eed6 5928->5930 5930->5913 5931 68eedc-68eee4 5930->5931 5932 68ef1e-68ef2a 5931->5932 5933 68eee6-68eeeb 5931->5933 5935 68ef2c-68ef2e 5932->5935 5936 68efa7 5932->5936 5933->5916 5934 68eef1-68eef3 5933->5934 5934->5913 5938 68eef9-68ef13 call 68e1d3 5934->5938 5939 68ef30-68ef39 call 680110 5935->5939 5940 68ef43-68ef4e call 68ac15 5935->5940 5937 68efa9-68efb0 call 67faaa 5936->5937 5937->5913 5938->5916 5950 68ef19 5938->5950 5939->5937 5951 68ef3b-68ef41 5939->5951 5940->5937 5949 68ef50 5940->5949 5952 68ef56-68ef5b 5949->5952 5950->5913 5951->5952 5952->5937 5953 68ef5d-68ef75 call 68e1d3 5952->5953 5953->5937 5956 68ef77-68ef7e 5953->5956 5957 68ef9f-68efa5 5956->5957 5958 68ef80-68ef81 5956->5958 5959 68ef82-68ef94 call 691ebd 5957->5959 5958->5959 5959->5937 5962 68ef96-68ef9d call 67faaa 5959->5962 5962->5916
                                                                APIs
                                                                • __freea.LIBCMT ref: 0068EF97
                                                                  • Part of subcall function 0068AC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0067FB1F,00000000,?,0063322C,00000000,?,006213A5,00000000), ref: 0068AC47
                                                                • __freea.LIBCMT ref: 0068EFAA
                                                                • __freea.LIBCMT ref: 0068EFB7
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: __freea$AllocateHeap
                                                                • String ID: T7}H
                                                                • API String ID: 2243444508-2795076325
                                                                • Opcode ID: e1b82805e9407b8a45b6d86b5a19444e3c10747f4b5a8904f02dfccd007316fb
                                                                • Instruction ID: 0b61508a3bb8028bfcf82fdc9b474f6ec104823395583670d4f905810902f3eb
                                                                • Opcode Fuzzy Hash: e1b82805e9407b8a45b6d86b5a19444e3c10747f4b5a8904f02dfccd007316fb
                                                                • Instruction Fuzzy Hash: CA518572A00206AFEB21AF619C45EFB76ABEF84714B15062DFE04D6241E772DC508761
                                                                Function 00633052 Relevance: 6.0, APIs: 4, Instructions: 32librarysynchronizationthreadCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                • Executed
                                                                • Not Executed
                                                                control_flow_graph 5975 633052-633068 5977 63306a-6330ca LoadLibraryA CreateThread WaitForSingleObject FreeLibrary 5975->5977 5978 6330ce-6330d1 5975->5978 5977->5978
                                                                APIs
                                                                • LoadLibraryA.KERNELBASE(?), ref: 0063307F
                                                                • CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,00000000), ref: 006330A2
                                                                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006330B7
                                                                • FreeLibrary.KERNEL32(?), ref: 006330C4
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Library$CreateFreeLoadObjectSingleThreadWait
                                                                • String ID:
                                                                • API String ID: 2432312608-0
                                                                • Opcode ID: 05413bd72508ef2333e24742dd75e0fde4db435a39d277f4111548383538c0a3
                                                                • Instruction ID: 38b2dc94d4766b7aa117cbe1ba235ab169fecbc1ffcc0daeeb39b5d6af9f85d2
                                                                • Opcode Fuzzy Hash: 05413bd72508ef2333e24742dd75e0fde4db435a39d277f4111548383538c0a3
                                                                • Instruction Fuzzy Hash: CB011D709403189BDB349F54DC8DBA97735FB15315F1016CDE5295A2A1CBB16AC0CF60
                                                                Function 03443508 Relevance: 6.0, APIs: 4, Instructions: 18memoryCOMMON
                                                                Download Yara Rule

                                                                Control-flow Graph

                                                                APIs
                                                                • EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                • GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                • LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalHeapSection$AllocateEnterLeaveProcess
                                                                • String ID:
                                                                • API String ID: 1367039788-0
                                                                • Opcode ID: 734e679d3069693c74cd773435f44e1aa16f4359ca0f7517f58c4fa0cbc2ddff
                                                                • Instruction ID: 4d0c835831c0ffa12633d138d3868ed273f2d5603e624e15ee1024ce4052fcc5
                                                                • Opcode Fuzzy Hash: 734e679d3069693c74cd773435f44e1aa16f4359ca0f7517f58c4fa0cbc2ddff
                                                                • Instruction Fuzzy Hash: B6D09E3660212067DB5077E9B80C99BAEECEF96561706047AF215EB154DBA8880687A0
                                                                Function 00692F61 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 177COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00692A95: GetOEMCP.KERNEL32(00000000,?,?,00000000,?), ref: 00692AC0
                                                                • IsValidCodePage.KERNEL32(-00000030,00000000,?,?,?,?,?,?,?,?,00692DA5,?,00000000,?,00000000,?), ref: 00692FC2
                                                                • GetCPInfo.KERNEL32(00000000,?,?,?,?,?,?,?,?,00692DA5,?,00000000,?,00000000,?), ref: 00692FFE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: CodeInfoPageValid
                                                                • String ID: T7}H
                                                                • API String ID: 546120528-2795076325
                                                                • Opcode ID: efcf8c32046cb13132dcb4d7b2d7d7af2bace16fdbaa86825a6eceda9a75c630
                                                                • Instruction ID: 7cdb068d538a5f762c856fa6a931d8e09462162cefcfbea1545d7c99720cb25e
                                                                • Opcode Fuzzy Hash: efcf8c32046cb13132dcb4d7b2d7d7af2bace16fdbaa86825a6eceda9a75c630
                                                                • Instruction Fuzzy Hash: 45513130A003569EDF20DF75C885AEBBBFAEF41304F14856ED0868BB51E7759A06CB91
                                                                Function 034446D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94libraryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(ntdl,0000011C,?,?,?,?,?,?,?,03444812), ref: 034446E6
                                                                • LoadLibraryA.KERNELBASE(ntdl,?,?,?,?,?,?,?,03444812), ref: 034446F3
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: HandleLibraryLoadModule
                                                                • String ID: ntdl
                                                                • API String ID: 4133054770-3973061744
                                                                • Opcode ID: a5da6b2d8b7d7fd054ffc1b6a928dd2b56537960e8b6ffe75047bc4d65803cc6
                                                                • Instruction ID: 60f948a0db4de8d182b5374845b9f738b4d9a6a4c391ccd7d7104693b72abd24
                                                                • Opcode Fuzzy Hash: a5da6b2d8b7d7fd054ffc1b6a928dd2b56537960e8b6ffe75047bc4d65803cc6
                                                                • Instruction Fuzzy Hash: D631D279E002159FDB24CF9AC590ABEF7B5FF46704F0842ABC411AB341C734A952CBA4
                                                                Function 00692B69 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 142COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetCPInfo.KERNEL32(FFFFF9B2,?,00000005,00692DA5,?), ref: 00692B9B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Info
                                                                • String ID: T7}H
                                                                • API String ID: 1807457897-2795076325
                                                                • Opcode ID: 722ba90a4b6c898474d7fde45776fe702d497c5436e733b9976efe526a49cd6f
                                                                • Instruction ID: 653679296b21ce5d23d4a15d522576d742c0added32a0b11b8dbccf1bd23846a
                                                                • Opcode Fuzzy Hash: 722ba90a4b6c898474d7fde45776fe702d497c5436e733b9976efe526a49cd6f
                                                                • Instruction Fuzzy Hash: C35169B090815ABADF118F28CC94BFABBAEFB15304F1401E9E199D7642C3359D85DB60
                                                                Function 0068E1D3 Relevance: 3.0, APIs: 2, Instructions: 34COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LCMapStringEx.KERNELBASE(?,0068EED2,?,?,-00000008,?,00000000,00000000,00000000,00000000,00000000), ref: 0068E207
                                                                • LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,-00000008,-00000008,?,0068EED2,?,?,-00000008,?,00000000), ref: 0068E225
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: String
                                                                • String ID:
                                                                • API String ID: 2568140703-0
                                                                • Opcode ID: 137bb055b48d2b4ad877cb5c7d9f7f84799910377bf2c167c07d5ecf59ffddd4
                                                                • Instruction ID: 47bfa64695c1363c00a6e8ed1a04f1f5f08d0883dff1bf8ba0d805805080aa70
                                                                • Opcode Fuzzy Hash: 137bb055b48d2b4ad877cb5c7d9f7f84799910377bf2c167c07d5ecf59ffddd4
                                                                • Instruction Fuzzy Hash: BBF0683200011ABBCF126F90DC15DDE7F2BFF48760F058515FA1826120C632D931ABA4
                                                                Function 03443536 Relevance: 3.0, APIs: 2, Instructions: 8memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetProcessHeap.KERNEL32(00000000,00000000,0344264F), ref: 0344353D
                                                                • RtlFreeHeap.NTDLL(00000000), ref: 03443544
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Heap$FreeProcess
                                                                • String ID:
                                                                • API String ID: 3859560861-0
                                                                • Opcode ID: fd95a3beab20b5dfaf9183ea5563f33105b67546341b93ea45b44c8f53cc1263
                                                                • Instruction ID: af64fd1e98c23e1fc5820071b74103cdf39b0c8998b0e9e23b65782cd7af2c26
                                                                • Opcode Fuzzy Hash: fd95a3beab20b5dfaf9183ea5563f33105b67546341b93ea45b44c8f53cc1263
                                                                • Instruction Fuzzy Hash: B8B092785421106AEE88ABA0990EB3A3A58AB10A03F0404A8B212E9045C76880018620
                                                                Function 0067FB05 Relevance: 1.5, APIs: 1, Instructions: 38COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • stdext::threads::lock_error::lock_error.LIBCPMTD ref: 0068037B
                                                                  • Part of subcall function 0068106C: RaiseException.KERNEL32(E06D7363,00000001,00000003,0068038E,?,?,?,?,0068038E,?,006A8484), ref: 006810CC
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ExceptionRaisestdext::threads::lock_error::lock_error
                                                                • String ID:
                                                                • API String ID: 3447279179-0
                                                                • Opcode ID: c559d8080ea30edcc95ba77cd7a773c8c2fb96fada04f6b95fea983a3fd23636
                                                                • Instruction ID: 7d943c803a2c598176e574a20341e17c2fad5e3a1282ffa2b9650f7da55ba1db
                                                                • Opcode Fuzzy Hash: c559d8080ea30edcc95ba77cd7a773c8c2fb96fada04f6b95fea983a3fd23636
                                                                • Instruction Fuzzy Hash: D6F0BB3480030DB7CB44BB74EC16D9D376F5905750F508634B968560D2EF70DA898699
                                                                Function 00621460 Relevance: 1.5, APIs: 1, Instructions: 36COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 00621477
                                                                  • Part of subcall function 00633D80: stdext::threads::lock_error::lock_error.LIBCPMTD ref: 00633D89
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Concurrency::cancel_current_taskstdext::threads::lock_error::lock_error
                                                                • String ID:
                                                                • API String ID: 2103942186-0
                                                                • Opcode ID: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                • Instruction ID: 2f8c126e90a1bcd18f6b9e7223d732e678a88f9c58f3875874c19831461cb5a1
                                                                • Opcode Fuzzy Hash: 7e938961fb2e67025cdff9c0a0f1d748bbed45857ce640becdc6d9bdc5e37106
                                                                • Instruction Fuzzy Hash: 7AF08C74D0451CABCB04EFA8E5816AEB7B2AF55304F10C1A9E8099B340E630AF40CBC5
                                                                Function 0068AC15 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0067FB1F,00000000,?,0063322C,00000000,?,006213A5,00000000), ref: 0068AC47
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: AllocateHeap
                                                                • String ID:
                                                                • API String ID: 1279760036-0
                                                                • Opcode ID: dabe136c317ab896e3ba2d24bd0d8a641114999c8f217107d23ec19442f5886d
                                                                • Instruction ID: 811910e0a9354155bf3b7af9afdb5a7c4bff564e3dfd22e0c4223210ced8bbcc
                                                                • Opcode Fuzzy Hash: dabe136c317ab896e3ba2d24bd0d8a641114999c8f217107d23ec19442f5886d
                                                                • Instruction Fuzzy Hash: 32E0E531204A1457FB313AB59C007DA3A8BAF023A0F18132BFD45963D0EB60CC00C3A6
                                                                Function 00657B09 Relevance: 1.5, APIs: 1, Instructions: 12memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualProtect.KERNELBASE(?,00000007,?,?), ref: 00634B9E
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ProtectVirtual
                                                                • String ID:
                                                                • API String ID: 544645111-0
                                                                • Opcode ID: 63451d55a8daa8aaf12b8041a32139d18be8b5d311da68f94284b351b04de707
                                                                • Instruction ID: 8d262d44a00b8a4bd8c953f8edfdef04822346a1fe0da158d6a2a87a2cccfe57
                                                                • Opcode Fuzzy Hash: 63451d55a8daa8aaf12b8041a32139d18be8b5d311da68f94284b351b04de707
                                                                • Instruction Fuzzy Hash: 8CD012B6A1410887CB20AF6CAC083A2B77AF715316B1431CEE95947113DB3255168F90
                                                                Function 006213B0 Relevance: 1.5, APIs: 1, Instructions: 9COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: allocator
                                                                • String ID:
                                                                • API String ID: 3447690668-0
                                                                • Opcode ID: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                • Instruction ID: 54cbeb48dbcca81b2fbbc741589752d60f963bb6d7198dde81e112b73f617d01
                                                                • Opcode Fuzzy Hash: 571f10d42482652b194d7ecda06d937b3b08c569b6719ab49de57ad63638ba45
                                                                • Instruction Fuzzy Hash: ACC09B3011410C5B8744DF88E491D55B39D9B88710B004159BC0D4B351CE30FD40C598
                                                                Function 0344407D Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetFileAttributesW.KERNELBASE(00BFF5F8,03441035,00BFF5F8,?), ref: 0344407E
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: AttributesFile
                                                                • String ID:
                                                                • API String ID: 3188754299-0
                                                                • Opcode ID: 99e2130fc591ef59ee9cd38e9981b27219a47c9861048447c1dde5f2136fc31d
                                                                • Instruction ID: 981bcd8bc0f0fe76f0e02cea1e175898a5946a13a0d0fff09c0d990e811a624d
                                                                • Opcode Fuzzy Hash: 99e2130fc591ef59ee9cd38e9981b27219a47c9861048447c1dde5f2136fc31d
                                                                • Instruction Fuzzy Hash: 25A0223C0302008BCB2C23300BAA00E38800E0A2F03220BACB033FC0C0EB28C2820000
                                                                Function 00647EEA Relevance: 1.3, APIs: 1, Instructions: 51memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • VirtualAlloc.KERNELBASE(00000000,00000001,00003000,00000040), ref: 00638B81
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: AllocVirtual
                                                                • String ID:
                                                                • API String ID: 4275171209-0
                                                                • Opcode ID: 97ccfad23754b18dad73725227b7dc3715d6d4a40b72282e692ac105f4396868
                                                                • Instruction ID: 3bb312b2915ce466475914927cc5b067e653803aedb3a0de6ded1454c63989eb
                                                                • Opcode Fuzzy Hash: 97ccfad23754b18dad73725227b7dc3715d6d4a40b72282e692ac105f4396868
                                                                • Instruction Fuzzy Hash: 8921E7B1C05A288FDB62CF24C9817EDF7B6AF52340F1092CAE40D6A242DB345A859F50

                                                                Non-executed Functions

                                                                Function 00695634 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 182COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0069573C
                                                                • IsValidCodePage.KERNEL32(00000000), ref: 0069577A
                                                                • IsValidLocale.KERNEL32(?,00000001), ref: 0069578D
                                                                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 006957D5
                                                                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 006957F0
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                                                • String ID: T7}H
                                                                • API String ID: 415426439-2795076325
                                                                • Opcode ID: efc6a6931e3a5c53f2ebd1b20d8bfa4f01e6b8ee65b0756122aa3233dd7893f4
                                                                • Instruction ID: c8031f8df085a8e15f5dc08cb1a141e5f8029445041c18866152089f26f2a587
                                                                • Opcode Fuzzy Hash: efc6a6931e3a5c53f2ebd1b20d8bfa4f01e6b8ee65b0756122aa3233dd7893f4
                                                                • Instruction Fuzzy Hash: 1C51A471900619ABEF12DFA4CC41AEE77BEBF04700F54442AE912EB691EB70DA41CB61
                                                                Function 00695458 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 85COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(?,2000000B,jWi,00000002,00000000,?,?,?,0069576A,?,00000000), ref: 006954F1
                                                                • GetLocaleInfoW.KERNEL32(?,20001004,jWi,00000002,00000000,?,?,?,0069576A,?,00000000), ref: 0069551A
                                                                • GetACP.KERNEL32(?,?,0069576A,?,00000000), ref: 0069552F
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID: ACP$OCP$jWi
                                                                • API String ID: 2299586839-2931437779
                                                                • Opcode ID: 24112e189d144dbcd8d81fe928d996b51a751b45134737fe5511c6894f908fa3
                                                                • Instruction ID: 564cc096f89f7e0d8053a6a9b11906ad0fbe2c9e77c388162e20381935ec9ee9
                                                                • Opcode Fuzzy Hash: 24112e189d144dbcd8d81fe928d996b51a751b45134737fe5511c6894f908fa3
                                                                • Instruction Fuzzy Hash: E521C172600900AADF728F64D905AD773EFAB50F61B668426E90BC7B05F732EE81C750
                                                                Function 00694CBF Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 254COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • GetACP.KERNEL32(?,?,?,?,?,?,006889B1,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00694D7E
                                                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,006889B1,?,?,?,00000055,?,-00000050,?,?), ref: 00694DB5
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00694F18
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$CodeInfoLocalePageValid
                                                                • String ID: T7}H$utf8
                                                                • API String ID: 607553120-150342147
                                                                • Opcode ID: 0f68becab23b2daf9c808a7bc81352a297df85a9c84e98691182de3ea5b9d014
                                                                • Instruction ID: 5c743e9ec6cc54bd7ee35a39e9c3f1f69af6dd248a075cfb59490d0267a222b1
                                                                • Opcode Fuzzy Hash: 0f68becab23b2daf9c808a7bc81352a297df85a9c84e98691182de3ea5b9d014
                                                                • Instruction Fuzzy Hash: 54710271A00306AADF25AB75DC42FBA73AEEF45700F11402EFA05D7A81EE70E9468764
                                                                Function 03443EFC Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 111fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0344407D: GetFileAttributesW.KERNELBASE(00BFF5F8,03441035,00BFF5F8,?), ref: 0344407E
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 03443F5D
                                                                • FindNextFileW.KERNEL32(03441710,?), ref: 03443FFE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: File$CriticalFindHeapSection$AllocateAttributesEnterFirstLeaveNextProcess
                                                                • String ID: %s%s$%s\%s$%s\*
                                                                • API String ID: 674214967-2064654797
                                                                • Opcode ID: b2fb29510ebd0507503a628045f8bb1ad123cd5438ea8cfad376eb99a569cce0
                                                                • Instruction ID: e858076846940e1cd93c80297c061bf49f62a3ad773d2b3188c4c3ab03465b7a
                                                                • Opcode Fuzzy Hash: b2fb29510ebd0507503a628045f8bb1ad123cd5438ea8cfad376eb99a569cce0
                                                                • Instruction Fuzzy Hash: E731F939A003195BFB21EF518C44ABEBB759F40600F0801BBEC149F390DB318E668758
                                                                Function 006950DC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 205COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00695130
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0069517A
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00695240
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: InfoLocale$ErrorLast
                                                                • String ID: T7}H
                                                                • API String ID: 661929714-2795076325
                                                                • Opcode ID: 6663925ff23d35139f842dc857196cfe9b1a167762a666c8d55479318124f61f
                                                                • Instruction ID: 2b5b1abf582246d35ef093aa8c17abeaee8e345209e7c393111d8e08a1cd0dee
                                                                • Opcode Fuzzy Hash: 6663925ff23d35139f842dc857196cfe9b1a167762a666c8d55479318124f61f
                                                                • Instruction Fuzzy Hash: 1361B3719106079FEF6A9F28CC82BBA77AEEF14310F10417AE906C6A85F774DA51CB50
                                                                Function 034440BA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 0344410D
                                                                • FindNextFileW.KERNEL32(000000FF,?), ref: 03444159
                                                                  • Part of subcall function 03443536: GetProcessHeap.KERNEL32(00000000,00000000,0344264F), ref: 0344353D
                                                                  • Part of subcall function 03443536: RtlFreeHeap.NTDLL(00000000), ref: 03443544
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: FileFindHeap$FirstFreeNextProcess
                                                                • String ID: %s\%s$%s\*
                                                                • API String ID: 1689202581-2848263008
                                                                • Opcode ID: c95724cd8ecc476a9d71c787453ac3a7fe6ddcb88bc917a3a61c2bf40a608e3d
                                                                • Instruction ID: 25e7cfaac727fa15290d33b772b3636c71d55f9c74cb89b1750b021906888343
                                                                • Opcode Fuzzy Hash: c95724cd8ecc476a9d71c787453ac3a7fe6ddcb88bc917a3a61c2bf40a608e3d
                                                                • Instruction Fuzzy Hash: 32319438B003159FFB20EFA7CC8476EBBA9AF54640F14407ED9059F341EB349A518B98
                                                                Function 00684383 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,?), ref: 0068447B
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,?), ref: 00684485
                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,?), ref: 00684492
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                • String ID: T7}H
                                                                • API String ID: 3906539128-2795076325
                                                                • Opcode ID: 0fa890f5538c8bb75feaf7d309d43f005961f60bd8eab3733ce26a8d30eddfaa
                                                                • Instruction ID: 13cb3506987188f1be77373b7f1cb0106ee529238b48a33c87db85a03df63ed3
                                                                • Opcode Fuzzy Hash: 0fa890f5538c8bb75feaf7d309d43f005961f60bd8eab3733ce26a8d30eddfaa
                                                                • Instruction Fuzzy Hash: 7731C4759012199BCB61EF68DC897CDBBB9BF18310F5046EAE41CA6250EB709B858F44
                                                                Function 00680495 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 006804A1
                                                                • IsDebuggerPresent.KERNEL32 ref: 0068056D
                                                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00680586
                                                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00680590
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                                                • String ID:
                                                                • API String ID: 254469556-0
                                                                • Opcode ID: cf5a5513f2da77dde19875c9b392bcf0a3cde57ef89ee639ff6a2e265f0fc4e0
                                                                • Instruction ID: 661cb4cd93f7535d4022a8b8a355c7d46a675c12584548b8eb985ac6cc30f596
                                                                • Opcode Fuzzy Hash: cf5a5513f2da77dde19875c9b392bcf0a3cde57ef89ee639ff6a2e265f0fc4e0
                                                                • Instruction Fuzzy Hash: 3E31F875D01218DBEF60EFA4DD497CDBBB9AF08300F1046AAE50DAB250EB709A84CF55
                                                                Function 0069532F Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 83COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00695383
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$InfoLocale
                                                                • String ID: T7}H
                                                                • API String ID: 3736152602-2795076325
                                                                • Opcode ID: a81d4df7fddb22870f8b9434af41ee8bdb0eb6bb393edc37d0889c7acc62d22e
                                                                • Instruction ID: 797a65830c237026044b56983b09ac246425e9d12ef4026533d9ca10fc7afa19
                                                                • Opcode Fuzzy Hash: a81d4df7fddb22870f8b9434af41ee8bdb0eb6bb393edc37d0889c7acc62d22e
                                                                • Instruction Fuzzy Hash: 2C21A172610606ABEF19AA25DC41ABA33EEEF44350B10406EFD02C6641FBB4AD45C754
                                                                Function 0068DBC7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 006849CA: EnterCriticalSection.KERNEL32(-006AB8A8,?,006876D7,00000000,006A8C40,0000000C,0068769F,?,?,0068DB90,?,?,0068AA8E,00000001,00000364,00000000), ref: 006849D9
                                                                • EnumSystemLocalesW.KERNEL32(0068DBBA,00000001,006A8E30,0000000C,0068DF92,00000000), ref: 0068DBFF
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                                                • String ID: T7}H
                                                                • API String ID: 1272433827-2795076325
                                                                • Opcode ID: fc55cce9fc990455a8ba23e4e40c2332ce5f9de903df702b2762ea5d2453e1b7
                                                                • Instruction ID: a1164dd921d081343db2e92a02a577a6d036661d652161d91ad22e3443e2da3f
                                                                • Opcode Fuzzy Hash: fc55cce9fc990455a8ba23e4e40c2332ce5f9de903df702b2762ea5d2453e1b7
                                                                • Instruction Fuzzy Hash: 1CF03772A00304DFDB40EF98E842B9977F2FB09764F10422AF5109B2E1DBB59900CF54
                                                                Function 0068013C Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00680152
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor
                                                                • String ID:
                                                                • API String ID: 2325560087-0
                                                                • Opcode ID: e5ae4455ca7e28cfbf220653c39d989ccfd977f6f9f81137c4e585bc820d48fe
                                                                • Instruction ID: fe38a33a1c922827b4b0416107eebc42fe54a84ae989269b575c41555132caf1
                                                                • Opcode Fuzzy Hash: e5ae4455ca7e28cfbf220653c39d989ccfd977f6f9f81137c4e585bc820d48fe
                                                                • Instruction Fuzzy Hash: 7F51FFB1A052058FEB95DFA4D9857AEBBF6FB48310F209A2AC405EB352D374AD04CF50
                                                                Function 00694FB6 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • EnumSystemLocalesW.KERNEL32(006950DC,00000001,00000000,?,-00000050,?,00695710,00000000,?,?,?,00000055,?), ref: 00695028
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                • String ID:
                                                                • API String ID: 2417226690-0
                                                                • Opcode ID: c8d04cb6e6bfff52bdbdc0f9b945ee9c70eca273ca1820306d84388680cd97ec
                                                                • Instruction ID: e64789c579b2ad97ff17604257b3052d649d5206a26b4a62b585a20eec891f80
                                                                • Opcode Fuzzy Hash: c8d04cb6e6bfff52bdbdc0f9b945ee9c70eca273ca1820306d84388680cd97ec
                                                                • Instruction Fuzzy Hash: CF11023A2007059FDF28AF39C8916BABB96FB80358B14442DEA4787B40E771A843C790
                                                                Function 0069555E Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,006952F8,00000000,00000000,?), ref: 0069558A
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$InfoLocale
                                                                • String ID:
                                                                • API String ID: 3736152602-0
                                                                • Opcode ID: 53163026955d71cb58b8fb1623c500d9fd334bd34e415081773c322fe0308ae0
                                                                • Instruction ID: 7f07d56df5de971a68e6f435cd4b63df8cc991e642c47f86a27d43c5cd8c8e31
                                                                • Opcode Fuzzy Hash: 53163026955d71cb58b8fb1623c500d9fd334bd34e415081773c322fe0308ae0
                                                                • Instruction Fuzzy Hash: 0501D672600612ABDF29AA24C805BFB376FEB40754F16442DEC07A3681EB74FE41C7A4
                                                                Function 00695051 Relevance: 1.5, APIs: 1, Instructions: 41COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • EnumSystemLocalesW.KERNEL32(0069532F,00000001,00000000,?,-00000050,?,006956D8,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0069509B
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                • String ID:
                                                                • API String ID: 2417226690-0
                                                                • Opcode ID: c577577f8055d2e63393ca09409b55f1cc7bd301ee6471b4f559019c3c334430
                                                                • Instruction ID: 339e32f66881078a97f829f489078856f34924798c61d84f5a9fbd4c3b190d40
                                                                • Opcode Fuzzy Hash: c577577f8055d2e63393ca09409b55f1cc7bd301ee6471b4f559019c3c334430
                                                                • Instruction Fuzzy Hash: D7F0F636300B045FDF256F399891ABA7BAAEF80368F05442DF9474BB80D6B19C42C794
                                                                Function 00694F6B Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 0068A8F0: GetLastError.KERNEL32(?,?,006871B7,?,?,?,?,00000003,00684382,?,006842F1,?,00000000,00684500), ref: 0068A8F4
                                                                  • Part of subcall function 0068A8F0: SetLastError.KERNEL32(00000000,00000000,00684500,?,?,?,?,?,00000000,?,?,0068459E,00000000,00000000,00000000,00000000), ref: 0068A996
                                                                • EnumSystemLocalesW.KERNEL32(00694EC4,00000001,00000000,?,?,00695732,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 00694FA2
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast$EnumLocalesSystem
                                                                • String ID:
                                                                • API String ID: 2417226690-0
                                                                • Opcode ID: 8d769ab6e7723ab03e78f4f1b6d45abc6cc46db71f922cec8fd53c9aeea3572a
                                                                • Instruction ID: a85de38eae7e9b361e4903cc2aadee2062d57ec6aea39f070999a947289a2b90
                                                                • Opcode Fuzzy Hash: 8d769ab6e7723ab03e78f4f1b6d45abc6cc46db71f922cec8fd53c9aeea3572a
                                                                • Instruction Fuzzy Hash: 43F0EC357002455BCF149F39D845A66BF99EFC1710F07405DEE058BB51CA759843C7A0
                                                                Function 0068E096 Relevance: 1.5, APIs: 1, Instructions: 24COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00689527,?,20001004,00000000,00000002,?,?,00688B19), ref: 0068E0CA
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: InfoLocale
                                                                • String ID:
                                                                • API String ID: 2299586839-0
                                                                • Opcode ID: 88777ced8ad75ffbf0b292b1549483f8033541373f87f530b0dfa56a6d418cff
                                                                • Instruction ID: 18372a1a5792be6c6b61676b0c6e98dd46d0309aeed0d9414de9a6076c20ab07
                                                                • Opcode Fuzzy Hash: 88777ced8ad75ffbf0b292b1549483f8033541373f87f530b0dfa56a6d418cff
                                                                • Instruction Fuzzy Hash: 37E01A31500228BBCB123F61DC04BAE3B2BBB44760F044519FC05666618B729921EBA9
                                                                Function 00680622 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • SetUnhandledExceptionFilter.KERNEL32(Function_0006062E,0067FC56), ref: 00680627
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ExceptionFilterUnhandled
                                                                • String ID:
                                                                • API String ID: 3192549508-0
                                                                • Opcode ID: a93745858264d6e52eac4afedffd97df3e73d59bd8ede940a7e816176503b5ec
                                                                • Instruction ID: 9595062bafd791bbf8f1350749a0b24fdbdda4b9ac7270d1dbd81803f691c595
                                                                • Opcode Fuzzy Hash: a93745858264d6e52eac4afedffd97df3e73d59bd8ede940a7e816176503b5ec
                                                                • Instruction Fuzzy Hash:
                                                                Function 00695891 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: HeapProcess
                                                                • String ID:
                                                                • API String ID: 54951025-0
                                                                • Opcode ID: cd387523f73b12d9b8a19abd40cda7705828330b8577956b5db69cb6f3d0c514
                                                                • Instruction ID: b5ac23812c00d0ce5219c25e14c3830a63695abbdbc4023bf064305548a5bd03
                                                                • Opcode Fuzzy Hash: cd387523f73b12d9b8a19abd40cda7705828330b8577956b5db69cb6f3d0c514
                                                                • Instruction Fuzzy Hash: AAA00170612206CF97409F39AF0A20D3AEABA4AA91B09A1AAA405C6571EB6494909E11
                                                                Function 034442EC Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 139libraryloaderCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQuerySystemInformation,?,00000000,?,?,?,?,?,03444574), ref: 03444305
                                                                • GetProcAddress.KERNEL32(00000000), ref: 0344430E
                                                                • GetModuleHandleA.KERNEL32(ntdll,NtQueryObject,?,?,?,?,03444574), ref: 0344431F
                                                                • GetProcAddress.KERNEL32(00000000), ref: 03444322
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • OpenProcess.KERNEL32(00000040,00000000,00000000,?,?,?,?,03444574), ref: 034443A4
                                                                • GetCurrentProcess.KERNEL32(03444574,00000000,00000000,00000002,?,?,?,?,03444574), ref: 034443C0
                                                                • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03444574), ref: 034443CF
                                                                • CloseHandle.KERNEL32(03444574,?,?,?,?,03444574), ref: 034443FF
                                                                • GetCurrentProcess.KERNEL32(03444574,00000000,00000000,00000001,?,?,?,?,03444574), ref: 0344440D
                                                                • DuplicateHandle.KERNEL32(?,?,00000000,?,?,?,?,03444574), ref: 0344441C
                                                                • CloseHandle.KERNEL32(?,?,?,?,?,03444574), ref: 0344442F
                                                                • CloseHandle.KERNEL32(000000FF), ref: 03444452
                                                                • CloseHandle.KERNEL32(?), ref: 0344445A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: Handle$CloseProcess$AddressCriticalCurrentDuplicateHeapModuleProcSection$AllocateEnterLeaveOpen
                                                                • String ID: NtQueryObject$NtQuerySystemInformation$ntdll
                                                                • API String ID: 3110323036-2044536123
                                                                • Opcode ID: 4596a4f9adfbf06d441b119fdde03f4543ffaf0d9beb2747fadc0383960f6edc
                                                                • Instruction ID: 61a6f8a7cdb83686cec5631ccbe2d31ec0bfd124eaca91a519b343e2f11dd79e
                                                                • Opcode Fuzzy Hash: 4596a4f9adfbf06d441b119fdde03f4543ffaf0d9beb2747fadc0383960f6edc
                                                                • Instruction Fuzzy Hash: 50419475A00219ABEB10EBE69C44AAFFFB9EF44650F144076E520EB390DB70CD41CBA4
                                                                Function 00623930 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 57COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Yarn$std::_$Locinfo::_Locinfo_ctorLockitLockit::_
                                                                • String ID: bad locale name
                                                                • API String ID: 3904239083-1405518554
                                                                • Opcode ID: 959d094973867441d4e1d5e9698f90860366c90c4c92a8cd471867a56d0709b2
                                                                • Instruction ID: 1221ff52a9616cbb393858c74a902d55296446d96bcfc0c9e8645b2cb89466ab
                                                                • Opcode Fuzzy Hash: 959d094973867441d4e1d5e9698f90860366c90c4c92a8cd471867a56d0709b2
                                                                • Instruction Fuzzy Hash: C52190B0D0465AEBCF04EBA8D961BBEBB72BF45708F14455CE4122B7C2CB751A00CB66
                                                                Function 03442991 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 245COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: __aulldvrm
                                                                • String ID: (null)$(null)$0123456789ABCDEF$0123456789abcdef
                                                                • API String ID: 1302938615-1267642376
                                                                • Opcode ID: f314f55a2dc1f79cb532add3cff03b25603a346e1ee393b310b598ffafa89bbd
                                                                • Instruction ID: 79d232c51dc0e66264afa57bacb2aea09e9af09667cbdae0a9586a7dcc3f10b4
                                                                • Opcode Fuzzy Hash: f314f55a2dc1f79cb532add3cff03b25603a346e1ee393b310b598ffafa89bbd
                                                                • Instruction Fuzzy Hash: BB916B706047428FE725CF19C48062BFBE5EF85244F184D7EE8AA9B751D7B0A881CB59
                                                                Function 006832E1 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • type_info::operator==.LIBVCRUNTIME ref: 00683400
                                                                • ___TypeMatch.LIBVCRUNTIME ref: 0068350E
                                                                • _UnwindNestedFrames.LIBCMT ref: 00683660
                                                                • CallUnexpected.LIBVCRUNTIME ref: 0068367B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                                                • String ID: csm$csm$csm
                                                                • API String ID: 2751267872-393685449
                                                                • Opcode ID: 702997057a5ee75ccef1896ff6e80d9a15f36ef0555cb79648fc69ac998ec3e0
                                                                • Instruction ID: 0046e55ea0531c2e2ddcd0c02cdae562097931f21ad3ef4f192f74ceb34c29d9
                                                                • Opcode Fuzzy Hash: 702997057a5ee75ccef1896ff6e80d9a15f36ef0555cb79648fc69ac998ec3e0
                                                                • Instruction Fuzzy Hash: FDB16C71800229EFCF15EFA8C9419AEBBB6FF08B10B144659E9116B312D731DB61CF96
                                                                Function 00691338 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 292COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID: 0-3907804496
                                                                • Opcode ID: c2cbf893580f0a84634046144486a2e2c75e9be10b3e73acc0bda63fc9c25442
                                                                • Instruction ID: f797f8696c18140d0cf158963b0a9adfa61d56f6d6be946a9d597c71887bde6c
                                                                • Opcode Fuzzy Hash: c2cbf893580f0a84634046144486a2e2c75e9be10b3e73acc0bda63fc9c25442
                                                                • Instruction Fuzzy Hash: 29B117B0E0420A9FDF11EF99C841BAD7BBBAF46310F294259E4029F792C7709D42CB64
                                                                Function 0067F8DE Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 175COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • MultiByteToWideChar.KERNEL32(00000000,00000000,00000001,?,00000000,00000000,?,?,?,00000001), ref: 0067F927
                                                                • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,00000000,00000000), ref: 0067F992
                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0067F9AF
                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0067F9EE
                                                                • LCMapStringEx.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0067FA4D
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0067FA70
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ByteCharMultiStringWide
                                                                • String ID: T7}H
                                                                • API String ID: 2829165498-2795076325
                                                                • Opcode ID: cb991c035c587d4e5e9e87ebf939052f20efc0f4aa1a453ddbb13050791b4356
                                                                • Instruction ID: 74391c0cc3e1296504452bcd4c6bbdf33aa683cf0042d692d219ac2ab7e94ec9
                                                                • Opcode Fuzzy Hash: cb991c035c587d4e5e9e87ebf939052f20efc0f4aa1a453ddbb13050791b4356
                                                                • Instruction Fuzzy Hash: D0517C7290020AEBEF219FA4CC45FAA7BAAEF44750F148539F91DE6250DB749D11CB60
                                                                Function 00682DB0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • _ValidateLocalCookies.LIBCMT ref: 00682DE7
                                                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00682DEF
                                                                • _ValidateLocalCookies.LIBCMT ref: 00682E78
                                                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00682EA3
                                                                • _ValidateLocalCookies.LIBCMT ref: 00682EF8
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                • String ID: T7}H$csm
                                                                • API String ID: 1170836740-1690584240
                                                                • Opcode ID: d1dbca620b7ee7ee13abe79f9b2a3d2f53322282bccec1f505adeec46f5107b3
                                                                • Instruction ID: d6910a8742c2a61610cde91fb4ddfceca239db62592e622d8ca69a293a6b15c9
                                                                • Opcode Fuzzy Hash: d1dbca620b7ee7ee13abe79f9b2a3d2f53322282bccec1f505adeec46f5107b3
                                                                • Instruction Fuzzy Hash: D841D334A0021AAFCF10EFA8C899A9EBBB7BF05714F148259E8145B392C7359E01CB95
                                                                Function 03441F2D Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 84COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetUserDefaultUILanguage.KERNEL32 ref: 03441F90
                                                                • GetKeyboardLayoutList.USER32(00000032,?), ref: 03441FF2
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: DefaultKeyboardLanguageLayoutListUser
                                                                • String ID: )$- KeyboardLayouts: ( $- SystemLayout %d${%d}
                                                                • API String ID: 167087913-619012376
                                                                • Opcode ID: 4dacc03f1cbb291bd07111b9dcb6652831a556148bfc85d58c59eeba3e85fdb0
                                                                • Instruction ID: ff93bc5d122962b098ba585874c95331840b40463266a5955241328349962360
                                                                • Opcode Fuzzy Hash: 4dacc03f1cbb291bd07111b9dcb6652831a556148bfc85d58c59eeba3e85fdb0
                                                                • Instruction Fuzzy Hash: 6031C154E08288ADEB419FE4A4013FDBB70AF14705F0090ABF558FE282D7794B46C76E
                                                                Function 0068DD94 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,00000000,?,487D3754,?,0068DEA3,00000000,006213A5,00000000,00000000), ref: 0068DE55
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: FreeLibrary
                                                                • String ID: api-ms-$ext-ms-
                                                                • API String ID: 3664257935-537541572
                                                                • Opcode ID: 6bbe11b314b6ea469c4ce97cdd9ed5a2be2a69fa17ccde073dc1799f2a82c360
                                                                • Instruction ID: b0b84ed5b0b8a67846c289320e8e6d2ddd786e2a6aac422144dd7ae90fe4f412
                                                                • Opcode Fuzzy Hash: 6bbe11b314b6ea469c4ce97cdd9ed5a2be2a69fa17ccde073dc1799f2a82c360
                                                                • Instruction Fuzzy Hash: AB21D531A01211ABDB21BB64DC49A9A376BDF567B0F251219F916AB3D1D730ED01CBF0
                                                                Function 0067E516 Relevance: 10.6, APIs: 7, Instructions: 65COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0067E51D
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0067E527
                                                                • int.LIBCPMTD ref: 0067E53E
                                                                  • Part of subcall function 006246D0: std::_Lockit::_Lockit.LIBCPMT ref: 006246E6
                                                                  • Part of subcall function 006246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00624710
                                                                • codecvt.LIBCPMT ref: 0067E561
                                                                • std::_Facet_Register.LIBCPMT ref: 0067E578
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0067E598
                                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0067E5A5
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                • String ID:
                                                                • API String ID: 2133458128-0
                                                                • Opcode ID: 326d1d82208ed0155e45a2f096599ba5a6ae87c0752bc23e456a8242dbfc8c4e
                                                                • Instruction ID: 2c36a534190af34381eca4c4c9424a9b840e9c869bbe15fe58782e60364e1f3b
                                                                • Opcode Fuzzy Hash: 326d1d82208ed0155e45a2f096599ba5a6ae87c0752bc23e456a8242dbfc8c4e
                                                                • Instruction Fuzzy Hash: 9211E4B19006289FCB50AF64D8067AE77B7BF48724F10450DF40997381DFB5AE058BD4
                                                                Function 0067D7A8 Relevance: 10.5, APIs: 7, Instructions: 49COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0067D7AF
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0067D7B9
                                                                • int.LIBCPMTD ref: 0067D7D0
                                                                  • Part of subcall function 006246D0: std::_Lockit::_Lockit.LIBCPMT ref: 006246E6
                                                                  • Part of subcall function 006246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00624710
                                                                • codecvt.LIBCPMT ref: 0067D7F3
                                                                • std::_Facet_Register.LIBCPMT ref: 0067D80A
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0067D82A
                                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 0067D837
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prolog3Registercodecvt
                                                                • String ID:
                                                                • API String ID: 2133458128-0
                                                                • Opcode ID: 699fd98910c8ec20c4025a043225fdaa20bcccbcd9228b1bd773b70680a036dc
                                                                • Instruction ID: 25f0cc15acc89739edd783ba5a5fdf52293a5c5ac5af7843180d812fd30ce7fc
                                                                • Opcode Fuzzy Hash: 699fd98910c8ec20c4025a043225fdaa20bcccbcd9228b1bd773b70680a036dc
                                                                • Instruction Fuzzy Hash: 0601C07590021A9BCB44FB64D842ABE7777AF84320F24450DE8196B391CF789E05CBC9
                                                                Function 006880CC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,487D3754,?,?,00000000,00698AEC,000000FF,?,006880A8,?,?,0068807C,00000000), ref: 00688101
                                                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00688113
                                                                • FreeLibrary.KERNEL32(00000000,?,00000000,00698AEC,000000FF,?,006880A8,?,?,0068807C,00000000), ref: 00688135
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: AddressFreeHandleLibraryModuleProc
                                                                • String ID: CorExitProcess$T7}H$mscoree.dll
                                                                • API String ID: 4061214504-1025034807
                                                                • Opcode ID: 7bc39e69658a9450271107c3d760d24503aab31227c6010f4a0c35eef79226e0
                                                                • Instruction ID: 5c8afcaef73bb8e3fa1e47160b79e0606f767b61332bed1773938f1864f2c7ea
                                                                • Opcode Fuzzy Hash: 7bc39e69658a9450271107c3d760d24503aab31227c6010f4a0c35eef79226e0
                                                                • Instruction Fuzzy Hash: 67016771510525EFDF119F54DC09BAEBBBEFB09715F00062EE811A3690DF799900CB60
                                                                Function 03443084 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 410COMMON
                                                                Download Yara Rule
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID:
                                                                • String ID: x
                                                                • API String ID: 0-2363233923
                                                                • Opcode ID: 663e32857591112a02bb666ecc01940ad14feee40853a7c025abd4ffa42d514d
                                                                • Instruction ID: 954d74fe153798da1b118021d64f9db41b98bbfb1259f1ee819dbcc44c1038f9
                                                                • Opcode Fuzzy Hash: 663e32857591112a02bb666ecc01940ad14feee40853a7c025abd4ffa42d514d
                                                                • Instruction Fuzzy Hash: 9702AF78E00219DFDB45CF98D984AAEB7F4FF09704F148466E866EB350D730AA22CB55
                                                                Function 0068F497 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 333fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetConsoleOutputCP.KERNEL32(487D3754,00000000,00000000,00000000), ref: 0068F4FA
                                                                  • Part of subcall function 00691EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0068EF8D,?,00000000,-00000008), ref: 00691F1E
                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0068F74C
                                                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 0068F792
                                                                • GetLastError.KERNEL32 ref: 0068F835
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                                                • String ID: T7}H
                                                                • API String ID: 2112829910-2795076325
                                                                • Opcode ID: 3383a5be08d49093b60a6c35f70db71a1b71556dae3aac8d816f3a03385d37d0
                                                                • Instruction ID: 8015455c4054bc29260bb59ea30abae756cc8da6d51a6741aafc7241a4352ef4
                                                                • Opcode Fuzzy Hash: 3383a5be08d49093b60a6c35f70db71a1b71556dae3aac8d816f3a03385d37d0
                                                                • Instruction Fuzzy Hash: 8FD149B5D002489FDB15DFA8D8809EDBBB6FF09314F24466AE826EB355D730A942CF50
                                                                Function 00682FAA Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetLastError.KERNEL32(?,?,00682FA1,006816DC,00680672), ref: 00682FB8
                                                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00682FC6
                                                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00682FDF
                                                                • SetLastError.KERNEL32(00000000,00682FA1,006816DC,00680672), ref: 00683031
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLastValue___vcrt_
                                                                • String ID:
                                                                • API String ID: 3852720340-0
                                                                • Opcode ID: c1295c95bbf962b50038a84b74122187fa9334982a28af8d0443893fa809ea29
                                                                • Instruction ID: cd6f2bf98efaaab0ea2643949dc2d95bd1b67f689524961e4a2da3365f69ef12
                                                                • Opcode Fuzzy Hash: c1295c95bbf962b50038a84b74122187fa9334982a28af8d0443893fa809ea29
                                                                • Instruction Fuzzy Hash: D101D8321093335D9B653AF47D85B6B2657EB52B74720032FF210562E1EF515C01D755
                                                                Function 00621E20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00621E40
                                                                • int.LIBCPMTD ref: 00621E59
                                                                  • Part of subcall function 006246D0: std::_Lockit::_Lockit.LIBCPMT ref: 006246E6
                                                                  • Part of subcall function 006246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00624710
                                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 00621E99
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00621F01
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                • String ID:
                                                                • API String ID: 3053331623-0
                                                                • Opcode ID: 874e42ebe925c1d94a28012418cf54d8ccd7376f5135fc6e29d1e712a1ebacaa
                                                                • Instruction ID: a197801be9eab8ce3e73bcd1f5d5d2b6f1469c71eac7fb2e1dcbcf38f4b59b4b
                                                                • Opcode Fuzzy Hash: 874e42ebe925c1d94a28012418cf54d8ccd7376f5135fc6e29d1e712a1ebacaa
                                                                • Instruction Fuzzy Hash: ED312AB1D04619DBCB04EF94D892BEEBBB2BF19310F20421DE82567391DB346A44CFA5
                                                                Function 00621F20 Relevance: 7.6, APIs: 5, Instructions: 75COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 00621F40
                                                                • int.LIBCPMTD ref: 00621F59
                                                                  • Part of subcall function 006246D0: std::_Lockit::_Lockit.LIBCPMT ref: 006246E6
                                                                  • Part of subcall function 006246D0: std::_Lockit::~_Lockit.LIBCPMT ref: 00624710
                                                                • Concurrency::cancel_current_task.LIBCPMTD ref: 00621F99
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 00622001
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Concurrency::cancel_current_task
                                                                • String ID:
                                                                • API String ID: 3053331623-0
                                                                • Opcode ID: 0640f4a93e4f0687796af6cca3034821a6226fdf23fbb0afd68023f5ddc457ba
                                                                • Instruction ID: b23dfe097ce5384b032517e6f6219c9b905a437510db55e953b354a339834672
                                                                • Opcode Fuzzy Hash: 0640f4a93e4f0687796af6cca3034821a6226fdf23fbb0afd68023f5ddc457ba
                                                                • Instruction Fuzzy Hash: 3C3138B0D04619DBCB04EF94D992AEEBBB2BF19310F20821DE42567391DB346A40CFA5
                                                                Function 0067CE3D Relevance: 7.5, APIs: 5, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __EH_prolog3.LIBCMT ref: 0067CE44
                                                                • std::_Lockit::_Lockit.LIBCPMT ref: 0067CE4F
                                                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0067CEBD
                                                                  • Part of subcall function 0067CFA0: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0067CFB8
                                                                • std::locale::_Setgloballocale.LIBCPMT ref: 0067CE6A
                                                                • _Yarn.LIBCPMT ref: 0067CE80
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_SetgloballocaleYarn
                                                                • String ID:
                                                                • API String ID: 1088826258-0
                                                                • Opcode ID: d18b6793a581512d81c43628495803ee6e89bdd3067e58a34e45ddb01863be4b
                                                                • Instruction ID: 4073126e69ef53bd1b58cdf6819a0be6ebb80343a4a1a49f79cbb30807215ca7
                                                                • Opcode Fuzzy Hash: d18b6793a581512d81c43628495803ee6e89bdd3067e58a34e45ddb01863be4b
                                                                • Instruction Fuzzy Hash: CB01BC75A006119BCB46FF20D86597D7BA7FF89720B14900DE81657382CF786E06CBC9
                                                                Function 006928E6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0069290B
                                                                • GetLastError.KERNEL32 ref: 00692915
                                                                • __dosmaperr.LIBCMT ref: 0069291C
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLastModuleName__dosmaperr
                                                                • String ID: T7}H
                                                                • API String ID: 4076908705-2795076325
                                                                • Opcode ID: 91c483068883e56d222b967bae4c6cb0a4926d806a52b98528faf464d0d5699a
                                                                • Instruction ID: ce0916fd55b3ea66e2c03c0e1a24b47647d73bb5b3c57ad24f5a3f0c2c33efa5
                                                                • Opcode Fuzzy Hash: 91c483068883e56d222b967bae4c6cb0a4926d806a52b98528faf464d0d5699a
                                                                • Instruction Fuzzy Hash: FC116D7190021DABCF64EFA8DC99BDE77BDAB18304F1005DEE00AE7240EA709A84CF54
                                                                Function 00684072 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00684023,00000000,?,006AB824,?,?,?,006841C6,00000004,InitializeCriticalSectionEx,0069B270,InitializeCriticalSectionEx), ref: 0068407F
                                                                • GetLastError.KERNEL32(?,00684023,00000000,?,006AB824,?,?,?,006841C6,00000004,InitializeCriticalSectionEx,0069B270,InitializeCriticalSectionEx,00000000,?,00683F7D), ref: 00684089
                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 006840B1
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: LibraryLoad$ErrorLast
                                                                • String ID: api-ms-
                                                                • API String ID: 3177248105-2084034818
                                                                • Opcode ID: 544ba03796b5d138b85e725f98411ed4e6f85c47cd274a8bc4e7e174cd3b60d1
                                                                • Instruction ID: a123aff9b72560e32f192a9dc56535bbc4f514af1a1f753e4cd164e3ff97712e
                                                                • Opcode Fuzzy Hash: 544ba03796b5d138b85e725f98411ed4e6f85c47cd274a8bc4e7e174cd3b60d1
                                                                • Instruction Fuzzy Hash: FBE04830680205BBEF203FA1EC06B993B6B9B00B54F144029FE0CE45E1DB63D9509AD9
                                                                Function 0068308A Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: AdjustPointer
                                                                • String ID:
                                                                • API String ID: 1740715915-0
                                                                • Opcode ID: bc12708b9ac326e0fe94751c94b463ef4fe496421c117d0ef1a6d474023348a8
                                                                • Instruction ID: 1daaa9ca8d703ed216745e5f30a4b783de8a82612c6851f45775d7c405b9c36b
                                                                • Opcode Fuzzy Hash: bc12708b9ac326e0fe94751c94b463ef4fe496421c117d0ef1a6d474023348a8
                                                                • Instruction Fuzzy Hash: 8951F2716042269FDB28AF10D849BAAB7A7EF40F00F14462DEC8647391E771EE42CB94
                                                                Function 0069227A Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 00691EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0068EF8D,?,00000000,-00000008), ref: 00691F1E
                                                                • GetLastError.KERNEL32 ref: 006922DE
                                                                • __dosmaperr.LIBCMT ref: 006922E5
                                                                • GetLastError.KERNEL32(?,?,?,?), ref: 0069231F
                                                                • __dosmaperr.LIBCMT ref: 00692326
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 1913693674-0
                                                                • Opcode ID: 0c5cf5bcfd5d3d1f77477ac85a61302f53d8cce4cb0e3feafcb6ad2aeaf71e4c
                                                                • Instruction ID: fd6fa0610af2e019046fe9c7821f9e420b554d583afe583241801422b549b9dc
                                                                • Opcode Fuzzy Hash: 0c5cf5bcfd5d3d1f77477ac85a61302f53d8cce4cb0e3feafcb6ad2aeaf71e4c
                                                                • Instruction Fuzzy Hash: 3D21D431600606BFDF20AF6588918ABB7AFFF043647108A1DF829C7A41D775ED4187A1
                                                                Function 00687478 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                Download Yara Rule
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID:
                                                                • String ID:
                                                                • API String ID:
                                                                • Opcode ID: 2059991128bfe7d8138c231f52733d5cc2325af5adb5fd9f4f429daa0d66cad8
                                                                • Instruction ID: 8b113b8c493d5873f3288d15fba2b3d1a47758d2930e22b34dd46a92c2d71ad9
                                                                • Opcode Fuzzy Hash: 2059991128bfe7d8138c231f52733d5cc2325af5adb5fd9f4f429daa0d66cad8
                                                                • Instruction Fuzzy Hash: 4A219F71608605AFDB20BF75984096ABBABEF51364720471DF815C7650EB71ED0187A1
                                                                Function 0069321E Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • GetEnvironmentStringsW.KERNEL32 ref: 00693226
                                                                  • Part of subcall function 00691EBD: WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000000,?,-00000008,?,00000000,-00000008,-00000008,00000000,?,0068EF8D,?,00000000,-00000008), ref: 00691F1E
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0069325E
                                                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0069327E
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                                                • String ID:
                                                                • API String ID: 158306478-0
                                                                • Opcode ID: 549d1bd9a83578f289c9f217b901f885de042b98961dfd49d6fff1630cedd8df
                                                                • Instruction ID: 87cca22da8ccc70cb93b1691f9275e0ce87dd7440407445d1ce6a877e25eadc8
                                                                • Opcode Fuzzy Hash: 549d1bd9a83578f289c9f217b901f885de042b98961dfd49d6fff1630cedd8df
                                                                • Instruction Fuzzy Hash: 071184B15016267F7F113BB55C8ECBF79AFEE8A3A4710056AF802D5601EA348F029675
                                                                Function 00697C3B Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,00000000,?,00696B6B,00000000,00000001,0000000C,00000000,?,0068F889,00000000,00000000,00000000), ref: 00697C52
                                                                • GetLastError.KERNEL32(?,00696B6B,00000000,00000001,0000000C,00000000,?,0068F889,00000000,00000000,00000000,00000000,00000000,?,0068FE2C,?), ref: 00697C5E
                                                                  • Part of subcall function 00697C24: CloseHandle.KERNEL32(FFFFFFFE,00697C6E,?,00696B6B,00000000,00000001,0000000C,00000000,?,0068F889,00000000,00000000,00000000,00000000,00000000), ref: 00697C34
                                                                • ___initconout.LIBCMT ref: 00697C6E
                                                                  • Part of subcall function 00697BE6: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,00697C15,00696B58,00000000,?,0068F889,00000000,00000000,00000000,00000000), ref: 00697BF9
                                                                • WriteConsoleW.KERNEL32(00000000,00000000,?,00000000,?,00696B6B,00000000,00000001,0000000C,00000000,?,0068F889,00000000,00000000,00000000,00000000), ref: 00697C83
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                                                • String ID:
                                                                • API String ID: 2744216297-0
                                                                • Opcode ID: 64206b8a007e20b234779be5f0153c50b4c17fbcf9c74d93c2984f582fe16de4
                                                                • Instruction ID: 0f714da6a200c6991e63adfd02113dfb83c05f4315049cddcd7cfd23106fe5fc
                                                                • Opcode Fuzzy Hash: 64206b8a007e20b234779be5f0153c50b4c17fbcf9c74d93c2984f582fe16de4
                                                                • Instruction Fuzzy Hash: 5AF01C36514119FFCF622FE9DC099D93F6BFB093A0F055055FA1985A20D6329820DBA5
                                                                Function 03442C08 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 389COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,?,00000005,00000000,00000000), ref: 03442E3D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: CriticalHeapSection$AllocateByteCharEnterLeaveMultiProcessWide
                                                                • String ID: x
                                                                • API String ID: 1990697408-2363233923
                                                                • Opcode ID: 7d47e0429b21672db5e8dd3178b59ce09f75bf5813d144f56b32661e3177333c
                                                                • Instruction ID: e8f0bfc79adf32677deb454dfdfc996dc1e25dc11681d8438423a101f1574e14
                                                                • Opcode Fuzzy Hash: 7d47e0429b21672db5e8dd3178b59ce09f75bf5813d144f56b32661e3177333c
                                                                • Instruction Fuzzy Hash: 3102B074904249EFEF41CF98D984AAEBBF0BB09300F1488A6E865EB350D770AA51CF55
                                                                Function 0068BBFD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __startOneArgErrorHandling.LIBCMT ref: 0068BC8D
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorHandling__start
                                                                • String ID: pow
                                                                • API String ID: 3213639722-2276729525
                                                                • Opcode ID: b9e8242e4c702ea12172cbc08d0cbe16bd313428d13173c4da36b3fd66840065
                                                                • Instruction ID: 0b58217733b28c2c55ddb35153c5f4cbf4ab23bcf47acb01ff6fcc678609bfff
                                                                • Opcode Fuzzy Hash: b9e8242e4c702ea12172cbc08d0cbe16bd313428d13173c4da36b3fd66840065
                                                                • Instruction Fuzzy Hash: FF518A7190460196CB117B18DD413FE2BA7DF40B60F206F6EF486823A9EF718CD5AB5A
                                                                Function 006906D5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132fileCOMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00690725
                                                                • ReadFile.KERNEL32(00000000,?,00001000,?,00000000,00690462,00000001,00000000,0067DF6B,00000000,?,?,00000000,?,?,006908F1), ref: 006907AB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: FileReadUnothrow_t@std@@@__ehfuncinfo$??2@
                                                                • String ID: T7}H
                                                                • API String ID: 1834446548-2795076325
                                                                • Opcode ID: 1cca598f5308596904b9cc48766119b3ebe9430a5a14b4408bcf1cb3c9e892fd
                                                                • Instruction ID: 488c060ad67d9d6e5dcf605c9dee8ee5a14ddd6c726dacb7963d41586c656ccb
                                                                • Opcode Fuzzy Hash: 1cca598f5308596904b9cc48766119b3ebe9430a5a14b4408bcf1cb3c9e892fd
                                                                • Instruction Fuzzy Hash: F041CE31B00258AFEF21DF64CE80BE977BAAB48300F1081E9E54997A41D7B5DEC19F90
                                                                Function 0067EE71 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Fputc
                                                                • String ID: T7}H
                                                                • API String ID: 3078413507-2795076325
                                                                • Opcode ID: 2d5dca9f080bfa7310d01442bb81df7f92de4dddf45c542619cf98be9f4023c0
                                                                • Instruction ID: fbd34576e3fc63c0fa2a7dc2b9af42cf76c959b7b515ffbbf12c806f9675a35c
                                                                • Opcode Fuzzy Hash: 2d5dca9f080bfa7310d01442bb81df7f92de4dddf45c542619cf98be9f4023c0
                                                                • Instruction Fuzzy Hash: 4641733590051AABDF14DF64C4809EE77BAFF0D310B5485AAE509E7750DB36ED48CBA0
                                                                Function 00683686 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • EncodePointer.KERNEL32(00000000,?), ref: 006836AB
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: EncodePointer
                                                                • String ID: MOC$RCC
                                                                • API String ID: 2118026453-2084237596
                                                                • Opcode ID: 01504c986dd034fa641e7c550055a19fdcf388abfebc7e89e0459b9c4b867457
                                                                • Instruction ID: 874fb8ad759de52caa21d611a9105520d150db5fc0f9990282ab5751783279f2
                                                                • Opcode Fuzzy Hash: 01504c986dd034fa641e7c550055a19fdcf388abfebc7e89e0459b9c4b867457
                                                                • Instruction Fuzzy Hash: 10415BB1900219AFDF15EF98CD81AEEBBB6BF48700F144299FA046B311D335EA50DB54
                                                                Function 0068FB07 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteFile.KERNEL32(?,?,00000000,?,00000000,0068FEA1,?,?,00000000,?,00000000,00000000,0000000C,?,00000000,006A8EB0), ref: 0068FBF0
                                                                • GetLastError.KERNEL32(0068FEA1,?,?,00000000,?,00000000,00000000,0000000C,?,00000000,006A8EB0,00000014,0068663C,00000000,00000000,00000000), ref: 0068FC20
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLastWrite
                                                                • String ID: T7}H
                                                                • API String ID: 442123175-2795076325
                                                                • Opcode ID: 1c9f2992232cadd7045e4fd018eae358742f21223d039587e21f67f999538569
                                                                • Instruction ID: 3ee9be36862762d4122e4857652866515951f92a771378744f7d11ff762cc526
                                                                • Opcode Fuzzy Hash: 1c9f2992232cadd7045e4fd018eae358742f21223d039587e21f67f999538569
                                                                • Instruction Fuzzy Hash: 90319271B00219AFDB14DF69DC91BEA73BAEB48300F1445BAE905D7290DB70EE81CB64
                                                                Function 0068ECE1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • GetStringTypeW.KERNEL32(?,-00000008,00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,FFFFF9B2), ref: 0068EDAB
                                                                • __freea.LIBCMT ref: 0068EDB8
                                                                  • Part of subcall function 0068AC15: RtlAllocateHeap.NTDLL(00000000,00000000,?,?,0067FB1F,00000000,?,0063322C,00000000,?,006213A5,00000000), ref: 0068AC47
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: AllocateHeapStringType__freea
                                                                • String ID: T7}H
                                                                • API String ID: 4073780324-2795076325
                                                                • Opcode ID: 2b51b0ba66328d91b0bc9035dd966a1faa3973f1afa06aecfd3ea0ef2481fcda
                                                                • Instruction ID: 0910e9d9e212ebc14af992741819ade2adf476e4e2fc027172ca0443b792f413
                                                                • Opcode Fuzzy Hash: 2b51b0ba66328d91b0bc9035dd966a1faa3973f1afa06aecfd3ea0ef2481fcda
                                                                • Instruction Fuzzy Hash: 56319E72D0020AABDF21AF64CC45EEF7BBAEF84350F050629FC14AB291E7358954C7A0
                                                                Function 0067EC78 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Wcrtomb
                                                                • String ID: T7}H
                                                                • API String ID: 2723506260-2795076325
                                                                • Opcode ID: b5139d5a45ad97e1a7eba08f7d7e453037d39aaee46317f9b021b2dd1acc62dd
                                                                • Instruction ID: ae6b6c72c8029a7dfcda1cfa3d8b4496c8548c2f7f0bafcc49f45e2bc23c2f7b
                                                                • Opcode Fuzzy Hash: b5139d5a45ad97e1a7eba08f7d7e453037d39aaee46317f9b021b2dd1acc62dd
                                                                • Instruction Fuzzy Hash: AB314FB5A0020ADFCB54DFA8C8819AEB7F9FF5C304B108869E919E7301E735E955CB60
                                                                Function 0068FA1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,0068FE8A,?,?,00000000,?,00000000,00000000), ref: 0068FAC8
                                                                • GetLastError.KERNEL32(?,0068FE8A,?,?,00000000,?,00000000,00000000,0000000C,?,00000000,006A8EB0,00000014,0068663C,00000000,00000000), ref: 0068FAEE
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLastWrite
                                                                • String ID: T7}H
                                                                • API String ID: 442123175-2795076325
                                                                • Opcode ID: ccaee294f7a1ee9651b921cb3c4bb089e1f5fbd69b127c5cc62aec6d6b6a7d03
                                                                • Instruction ID: 6190a4354829367a67bc47b3ba49f89ed0afc3aec85aafc335f8b0029d785b78
                                                                • Opcode Fuzzy Hash: ccaee294f7a1ee9651b921cb3c4bb089e1f5fbd69b127c5cc62aec6d6b6a7d03
                                                                • Instruction Fuzzy Hash: 34217131A00219DBCB18DF19DC819EAB3BAFF48354B1445BAE909EB250E7309D85CB64
                                                                Function 0067C900 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • Concurrency::task_continuation_context::task_continuation_context.LIBCPMTD ref: 0067C9E8
                                                                • task.LIBCPMTD ref: 0067C9F6
                                                                Strings
                                                                • }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+, xrefs: 0067C92A
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: Concurrency::task_continuation_context::task_continuation_contexttask
                                                                • String ID: }{cdef~hijkl/nopqrstuvwx|><B-DEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()_+
                                                                • API String ID: 605201214-2946796713
                                                                • Opcode ID: 2a0577ff591c65f3f349a7ce27e534585bae1a1cbc7bd0ba156562f604ca6128
                                                                • Instruction ID: e6f55a7b35b6c0412aeba78d36a81b43f4990b9e1e2c38d8e34c9258e014373b
                                                                • Opcode Fuzzy Hash: 2a0577ff591c65f3f349a7ce27e534585bae1a1cbc7bd0ba156562f604ca6128
                                                                • Instruction Fuzzy Hash: 4C31E371D041199BCB44DF98C992BEEBBB6FB48310F20815EE415B7380DB746A00CBA5
                                                                Function 0068F943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80fileCOMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • WriteFile.KERNEL32(?,?,?,?,00000000,00000000,00000000,00000000,?,0068FEB5,?,?,00000000,?,00000000,00000000), ref: 0068F9DF
                                                                • GetLastError.KERNEL32(?,0068FEB5,?,?,00000000,?,00000000,00000000,0000000C,?,00000000,006A8EB0,00000014,0068663C,00000000,00000000), ref: 0068FA05
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: ErrorFileLastWrite
                                                                • String ID: T7}H
                                                                • API String ID: 442123175-2795076325
                                                                • Opcode ID: 44bc0319d60608473eb5874b95a508d4798c663d1fa6c751aca9245108176a41
                                                                • Instruction ID: 402ce567f0fffa1b37706450ad97e07664cbe78441e900e2bb290cc39dfe78cc
                                                                • Opcode Fuzzy Hash: 44bc0319d60608473eb5874b95a508d4798c663d1fa6c751aca9245108176a41
                                                                • Instruction Fuzzy Hash: D6219131A00219DBCF19DF19DC80AD9B7BAEB88341F1441AEE90AD7215D730DD42CF61
                                                                Function 0068003D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                Download Yara Rule
                                                                APIs
                                                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00680723
                                                                • ___raise_securityfailure.LIBCMT ref: 0068080B
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3453842278.0000000000621000.00000020.00000001.01000000.0000000B.sdmp, Offset: 00620000, based on PE: true
                                                                • Associated: 00000009.00000002.3453803272.0000000000620000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453903337.0000000000699000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453941299.00000000006AA000.00000004.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3453974646.00000000006AB000.00000040.00000001.01000000.0000000B.sdmpDownload File
                                                                • Associated: 00000009.00000002.3454007704.00000000006AC000.00000002.00000001.01000000.0000000B.sdmpDownload File
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_620000_698B.jbxd
                                                                Similarity
                                                                • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                • String ID: T7}H
                                                                • API String ID: 3761405300-2795076325
                                                                • Opcode ID: b31d12e712c355269b46a81b00af78ca164ff3524a65c9ee08bc4d80359bccd4
                                                                • Instruction ID: e592518b3069ea97f71d6753ae5d3cd366df012a10b9f106f134b114a9db7bb7
                                                                • Opcode Fuzzy Hash: b31d12e712c355269b46a81b00af78ca164ff3524a65c9ee08bc4d80359bccd4
                                                                • Instruction Fuzzy Hash: CF21BEB49002049EE754EF55F886A987BEBFB0B314F14712AE508CA3A3E3B47885CF45
                                                                Function 03443D1C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                                                                Download Yara Rule
                                                                APIs
                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,00000000,00000000,00000000,?,?,?,03443DC1,00000000,?,0000011C), ref: 03443D34
                                                                  • Part of subcall function 03443508: EnterCriticalSection.KERNEL32(034484D4,?,?,03443BE5,?,03442251), ref: 03443512
                                                                  • Part of subcall function 03443508: GetProcessHeap.KERNEL32(00000008,?,?,?,03443BE5,?,03442251), ref: 0344351B
                                                                  • Part of subcall function 03443508: RtlAllocateHeap.NTDLL(00000000,?,?,?,03443BE5,?,03442251), ref: 03443522
                                                                  • Part of subcall function 03443508: LeaveCriticalSection.KERNEL32(034484D4,?,?,?,03443BE5,?,03442251), ref: 0344352B
                                                                • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,$d.log,000000FF,00000000,?,00000000,00000000,?,03443DC1,00000000,?,0000011C), ref: 03443D6A
                                                                Strings
                                                                Memory Dump Source
                                                                • Source File: 00000009.00000002.3455474502.0000000003440000.00000040.00001000.00020000.00000000.sdmp, Offset: 03440000, based on PE: true
                                                                Joe Sandbox IDA Plugin
                                                                • Snapshot File: hcaresult_9_2_3440000_698B.jbxd
                                                                Yara matches
                                                                Similarity
                                                                • API ID: ByteCharCriticalHeapMultiSectionWide$AllocateEnterLeaveProcess
                                                                • String ID: $d.log
                                                                • API String ID: 635875880-1910398676
                                                                • Opcode ID: db144a7a722f81beb4b4f3751240a5d933e040d254d5489bb156b80e32db9f3d
                                                                • Instruction ID: 205e839e8badcb75da5f514ba8c5407664e2ff08966bb5ad1951dd660055f672
                                                                • Opcode Fuzzy Hash: db144a7a722f81beb4b4f3751240a5d933e040d254d5489bb156b80e32db9f3d
                                                                • Instruction Fuzzy Hash: 60F05EB96011217F7724AEAA9C19C777EACDBC2B71705423AFD29DF2D4DA209C0082B0