Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Analysis ID:	1503237
MD5:	e9521ec55c41641cc645a0223b1e9ac1
SHA1:	ef63f2a2d918925b8b44ec9a9b848e919cc6a22a
SHA256:	2c49cd770976c10d5f65114ce71ce14817e3ffaa74cf3bed2fa24f588b13ebf2
Tags:	exe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Machine Learning detection for dropped file

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Too many similar processes found

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe (PID: 6760 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe" MD5: E9521EC55C41641CC645A0223B1E9AC1)

setup.exe (PID: 6440 cmdline: "C:\Users\user\AppData\Local\Temp\setup.exe" MD5: 2B4BA70B5C6115ADD73FDEF28AAEAA8A)

GamePall.exe (PID: 3796 cmdline: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 776 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 612 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3860 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 3636 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3964 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1864 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866609478 --mojo-platform-channel-handle=4028 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4892 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866677761 --mojo-platform-channel-handle=4140 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1 MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 676 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1632 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 3740 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 5816 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4840 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6044 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6040 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6380 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4556 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6844 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6540 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4208 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4288 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1204 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1560 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 3436 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 4724 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 5984 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 5608 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6184 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 7104 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 6952 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1924 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 3168 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

GamePall.exe (PID: 1264 cmdline: "C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" MD5: 46A3A9D4CA0EBE2BC40FA28BBFCD7200)

cleanup

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\setup.exe, ProcessId: 6440, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GamePall

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat	Avira: detection malicious, Label: HEUR/AGEN.1359405
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Avira: detection malicious, Label: HEUR/AGEN.1359405

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Virustotal: Detection: 21%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Joe Sandbox ML: detected

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.6.dr
Source:	Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.6.dr
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdbH source: GamePall.exe, 00000007.00000000.3508047574.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 00000007.00000000.3508047574.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 00000009.00000002.3567364533.0000000005D12000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.6.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000009.00000002.3567364533.0000000005D12000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.6.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: `OTHER`TEMP`PACKED<%s return value>hlslFlagshlslTargethlslEntryhlslDefinesinternal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.6.dr

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092EA80 FindFirstFileExW,	9_2_6092EA80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608FF3F7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_608FF3F7
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608FF346 FindFirstFileExW,	9_2_608FF346
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092F490 FindFirstFileExW,	9_2_6092F490

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 4x nop then movd mm0, dword ptr [edx]

9_2_608646F0

Source: Joe Sandbox View

IP Address: 185.117.88.39 185.117.88.39

Source: GamePall.exe, 00000009.00000002.3564510429.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000A.00000002.3628668214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity
Source: GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/activity0
Source: GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs
Source: GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://api.install-stat.debug.world/clients/installs0
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000001.00000003.2466025557.0000000003040000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://glokh.com/22_556/huge.dat
Source: GamePall.exe, 00000009.00000002.3564510429.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000A.00000002.3628668214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jiugeyou.bond
Source: GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jiugeyou.bond0
Source: GamePall.exe	String found in binary or memory: http://logging.apache.org/log4ne
Source: GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://logging.apache.org/log4net/release/faq.html#trouble-EventLog
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/).
Source: GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: GamePall.exe	String found in binary or memory: http://www.apache.org/licenses/LICEN
Source: GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: icudtl.dat.6.dr	String found in binary or memory: http://www.unicode.org/copyright.html
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=enCtrl$1
Source: es-419.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
Source: es-419.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=es-419Ctrl$1
Source: et.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
Source: et.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=etCtrl$1
Source: hi.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hi.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hiCtrl$1
Source: hr.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u
Source: hr.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hrCtrl$1
Source: id.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u
Source: id.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=idCtrl$1
Source: it.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u
Source: it.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=itCtrl$1
Source: ml.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u
Source: ml.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=mlCtrl$1
Source: pt-BR.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity
Source: pt-BR.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=pt-BRCtrl$1
Source: ru.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ru&category=theme81https://myactivity.google.com/myactivity/?u
Source: ru.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ruCtrl$1
Source: te.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u
Source: te.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=teCtrl$1
Source: th.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u
Source: th.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=thCtrl$1
Source: uk.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u
Source: uk.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ukCtrl$1
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://myactivity.google.com/
Source: th.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr	String found in binary or memory: https://passwords.google.com
Source: id.pak.6.dr	String found in binary or memory: https://passwords.google.comAkun
Source: pt-BR.pak.6.dr	String found in binary or memory: https://passwords.google.comConta
Source: es-419.pak.6.dr	String found in binary or memory: https://passwords.google.comCuenta
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, en-US.pak.6.dr, it.pak.6.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://policies.google.com/
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, it.pak.6.dr	String found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: GamePall.exe, GamePall.exe, 00000009.00000002.3566507407.00000000051F6000.00000002.00000001.01000000.0000000C.sdmp, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	String found in binary or memory: https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1
Source: th.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, uk.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: ru.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html&
Source: et.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab
Source: pt-BR.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&judaGerenciado
Source: es-419.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado
Source: id.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlDikelola
Source: it.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito
Source: GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged
Source: hr.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlP&omo

Source: GamePall.exe

Process created: 59

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60884FA0 RtlInitUnicodeString,NtOpenKeyEx,	9_2_60884FA0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60885140 RtlInitUnicodeString,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,NtQueryValueKey,	9_2_60885140
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60885610 NtClose,	9_2_60885610
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608841C0 NtClose,NtClose,RtlInitUnicodeString,NtCreateKey,NtClose,NtClose,RtlInitUnicodeString,NtCreateKey,NtDeleteKey,	9_2_608841C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60885120 NtClose,	9_2_60885120
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60885690 RtlInitUnicodeString,NtSetValueKey,	9_2_60885690
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60885700 RtlInitUnicodeString,NtSetValueKey,	9_2_60885700

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B0D00	9_2_608B0D00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B36F0	9_2_608B36F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6088DC00	9_2_6088DC00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B3C00	9_2_608B3C00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608620B0	9_2_608620B0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608C40B0	9_2_608C40B0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A40D0	9_2_608A40D0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608C61B0	9_2_608C61B0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608841C0	9_2_608841C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608662CD	9_2_608662CD
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6088C220	9_2_6088C220
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6090427A	9_2_6090427A
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608E4397	9_2_608E4397
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608663ED	9_2_608663ED
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608AA370	9_2_608AA370
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608C2490	9_2_608C2490
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608664C9	9_2_608664C9
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60930400	9_2_60930400
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D65A0	9_2_608D65A0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608AA570	9_2_608AA570
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6089C6C0	9_2_6089C6C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A8610	9_2_608A8610
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60862640	9_2_60862640
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A6790	9_2_608A6790
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6089C7A0	9_2_6089C7A0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608687FD	9_2_608687FD
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60872700	9_2_60872700
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A88A0	9_2_608A88A0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608BE830	9_2_608BE830
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B8840	9_2_608B8840
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60866855	9_2_60866855
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D8860	9_2_608D8860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60930930	9_2_60930930
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092C960	9_2_6092C960
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60890970	9_2_60890970
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D2A90	9_2_608D2A90
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60866A5D	9_2_60866A5D
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60932A70	9_2_60932A70
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D6BA0	9_2_608D6BA0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A8BC0	9_2_608A8BC0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608BECB0	9_2_608BECB0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60864C00	9_2_60864C00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60862C30	9_2_60862C30
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608E6C40	9_2_608E6C40
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DADE0	9_2_608DADE0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608E2E8A	9_2_608E2E8A
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60892EE0	9_2_60892EE0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60930E60	9_2_60930E60
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608BCE70	9_2_608BCE70
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6088AFB0	9_2_6088AFB0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60862FD7	9_2_60862FD7
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60874F30	9_2_60874F30
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_609310C0	9_2_609310C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D51D0	9_2_608D51D0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60933100	9_2_60933100
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B52B0	9_2_608B52B0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608BD2E0	9_2_608BD2E0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608CF2E0	9_2_608CF2E0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DF2E0	9_2_608DF2E0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DB2E0	9_2_608DB2E0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D32F0	9_2_608D32F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60879310	9_2_60879310
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60925490	9_2_60925490
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D1490	9_2_608D1490
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60889410	9_2_60889410
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A1470	9_2_608A1470
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608E75C4	9_2_608E75C4
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60933510	9_2_60933510
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_609056A9	9_2_609056A9
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608616C0	9_2_608616C0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60931640	9_2_60931640
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608657D0	9_2_608657D0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D77D0	9_2_608D77D0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A17F0	9_2_608A17F0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092B730	9_2_6092B730
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608B9730	9_2_608B9730
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60893750	9_2_60893750
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608AD890	9_2_608AD890
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608758E0	9_2_608758E0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60873A80	9_2_60873A80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608CDA00	9_2_608CDA00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60861A30	9_2_60861A30
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D5A40	9_2_608D5A40
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D3B80	9_2_608D3B80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608CFB90	9_2_608CFB90
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60877BA0	9_2_60877BA0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D5BA0	9_2_608D5BA0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608BFBC0	9_2_608BFBC0
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608E3B1B	9_2_608E3B1B
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60861B60	9_2_60861B60
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60863C80	9_2_60863C80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60865C00	9_2_60865C00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608D9C40	9_2_608D9C40
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608A1C50	9_2_608A1C50
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60861D10	9_2_60861D10
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60875F80	9_2_60875F80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6088FF00	9_2_6088FF00
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_02A34F58	9_2_02A34F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_02A33860	9_2_02A33860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_02A31049	9_2_02A31049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_01684F58	10_2_01684F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_01683860	10_2_01683860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 10_2_01681049	10_2_01681049
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 11_2_01314F58	11_2_01314F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 13_2_00F44F58	13_2_00F44F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 13_2_00F43860	13_2_00F43860
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 15_2_01854F58	15_2_01854F58
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 36_2_00DD1049	36_2_00DD1049

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll 9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: String function: 60926700 appears 39 times
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: String function: 608DDF70 appears 52 times
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: String function: 6090B830 appears 61 times
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: String function: 6090CE60 appears 518 times

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ionic.Zip.dll.6.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformBlock'
Source: Ionic.Zip.dll.6.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Ionic.Zip.dll.6.dr, WinZipAesCipherStream.cs	Cryptographic APIs: 'TransformFinalBlock', 'TransformBlock'

Source: GamePall.exe.6.dr, Program.cs

Base64 encoded string: 'IjjDC+Kzky7h6dahkgx7zKqwbX4x+VN/YxyiRIgqR+rWDRoupoPgC2U+14kzkKfq', 'j7KZk1ZqPmRFwIRGPamNQR6L6TOlPCFL2+jwkLqgE7LkWax6DLVnn4LlnTlhONEmzPM4FweuWRNzXqAzJmt6rWQ5WN3UuB8jj+RXLH9II/ob9f3l1ouC/3GDBUY5We4W6xMbVl+3eu1xXlsw7wTEhnqWijhhKVJ5COeJC6YOkgQXTZe9zuDdir8ybKTCa2BTIjQhAZWiNyCAvIdnZfJwW8SVw8sn3jRoEWZtlVexgz+k7ewIDDCPt5iQyZ5FN7Qgf7kVAdjNaKxBgFeCC2U1Lx9wJyjOdJSoYtQwnYhwn4wjVKcvauwtZSlhrZHPdt35TOgV9AOsU/NWgCjpVH99OeErfd6cllX4ndpMWnRPFKVOBgIUB+OJMl3Bkn8a4xTi+jmPEUctuWoEl77ssxyjCkRXN1YqQLM9hfR0FCM2aQRxjr5bcI2syaZQDrwimgfuR3QsA4M038V1IuSgI0f5i3H7N3InL4z45n95AemgCpLvm0E+Rm1lzqJxBMO9WC7y47eYHEb07kIYxv1rlXoQZ2KdSPL73HFe0Q9haF+wdT7WoqtRbMy4ontfazMR8RuUgGvamRsAtcIsq3cez3lkpB2DL2CirqdIvZjni9/M9GoZKZagMYDx2ioe+e/XZ3JGP+I5AMk2aDFUy9XfeaWm04gRp7xyi4MYeX/E23j5z0i89BHSCS8VouFMEZHu32e/Mu9nSa+CWDwW9abygPK0lVPtTEQqmKjLRg95CLmfdxue1wudhZs6KslldKbHtO8E/ZnjxXEMO2CmWbq49VK0ao2d9j2FbS5ACPh2qQdG7oXeTldz98EXNPZA0SXdf63d', 'mJuUnBwb6afFGOev7LmkGEG6Dgkm7JniAaWSPskowCjZrOStQl1TloeRt2KE1QbyCGVrvoSzPooPdhXSNHDoduWPcWkQwlpFGfV6jv0BX3fksQwVtSyeNTevSqAYcVJjr4oMt00z3+f5o7AEiK0cy/DWhrCY8qwoG2CVbcUi6Khn6iA0jw01tyBp1Jp36OuxJ/NQsW5xFJ0datXzo10qRmLDgRY9/Ks82by/9Ii0gwOm7maDDuRBaIbZc6ziSTaNXGT0lJj7lj7gMK29aqloaSb8tOKwHuYb8pJyiMP/UhVlaoqV81rnO2v0uExo3YRFTucDCsmBzhvPJAM2cT9Caf9LsMb+qnHtikC0zBq2mPmbQzEL8mIPrsrjpkUjlkE0rJXB9BChfestEFQM/KD91GnTxAc6gQcUrML6aO9Ule0Yz07rP6DnW0UJVXFAIikYxkx6+CxKCJiyblU9sX9oa1dmq5WW7pazdishWL7Cy1l6F3nUzIfVinfywSJQ3ZaJbSuEB9ATfp3iQ7wJBvRf93MDD9ulBMTec356UMGRa5TclbFD6bioRKe3Q1AC4ph6uUj1Wvi4Wl9vmM3yoRDSRdaCz6LyIdlwyRugoEfRJEYSdANWvw8lXlOm1u5K5nGnY1Ywunt/XQ9Fly3+qXSloCXIL04tADu5i3OEbTwBS4Y=', 'glGVjSjXAiG8Bkwam1OVr+DBCJei4cowbUnNLIcGCUhYMbP0Ttk4qLOmKNKZV79FQ9jwJrzNnLeSn9eR+gw59Wco8TI4lbg4/uMB1nYtHNehEtqsEAamWSqEIypV6ocs16ZDt88WOEUcWsgHMFz57fn25+xBLj5rV1BAAhUDZzecCzlSPJxO6Q6g2CaxRyRNk0+e4gNl7cBNplFNOkF/CMvPGqa0PLoLshlPmgzcjaRslhglJjlQn4S4EP6osfk/A0c4MiEq2gTYF1intUQol9+8iUIt1zkoAdADcIKs1ZtSUUX9/VJ8RP/py+xZIIDOHs16zcTRRuOEMZhwBDugrA==', 'X17tbUw8s77O1n80PpLHNqVsMhgzIWJ8q9LqzeDbkZrXXXgfV04DLoNYXd36btaIMOnRcYzkr81S6lRErzYLeLVzcKiaBHxz1R45ZnqCLzQ=', 'Jf/Fh+O3gmErKt8f+iuyUgRD7tfJrXeEfkM8ewFgXuzQdmeWdntKrm3PM/z+usg7', 'KftLQYCzACGydUPkPY7pfH7FXB2roz9nOS9nmr7lSafs3pcoVVVU2X3MjsPCSS6Vtug+Fms9/a9lx5p1k9H8ajqaqPqvXRKeBL28KfGcYI6jFXhe15mg3mOq44rkcvfhCJhs4b8BykAVQ6Pw8HZ7QPnbA6fhjaFITDrTjsFlv6kQGHrdAhjmAOPBYK5/Ut/4+Mtrmaz+m3RpYlxP3y84IxDbVKxIKY61T5DQcV9wW8xxm0riB2Oy18JDfgV0AgtrRDZSCeUloIuT8jEnU3yzXg==', 'glGVjSjXAiG8Bkwam1OVr7knjj9WTZaARSMVdWOR5vIqGi8Gh4pdOv19CFBlRUIN4rlLoS1iTZQ89vwVweLarze0XdQO1SEqVaZgiWsuXm0=', 'QqQVQFG7bPgYKPhQuwuJY53/PFMd4YECmco3LEi4qQNUcAnP1u8JRn4RRmvWZ5An', 'uEoar2s6eJoCFZnXecA1bDZN1C7ZwVm/uL/0b/zsoprAywI45jjbwzmkTowBfKBD', 'LHmAqxeOA2eHknM1hWFp3ULQhNFU4oYanb83xANGDVaXuBwVFsxv+WvGmgeLkqz2', 'rTgV+2PYc7cTXdhZZxupVqxWeoM8K3/ornPrV+OJIIbbq0aPEDzkwCDo99uMb2QA', 'rAFEUL5t/PcYsixu221Y6UnpIRmwKGNJVoRTcgQWj9itwydh50UvncjeAA4QxIF7', 'SKJdcMIFItICh/EPbGgSg0H3TiezSMacUvvxNHeUqHfO8SgJEu8Gc6n1fM6hzHQD157e8KtCue+hTJbkJ+yQxrW7HWzpEhK/Fq0Eub56nNQ=', 'glGVjSjXAiG8Bkwam1OVr1wt/Jd73lf

Source: classification engine

Classification label: mal68.evad.winEXE@76/108@0/2

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_609265D0 FormatMessageA,GetLastError,_strlen,

9_2_609265D0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

File created: C:\Users\user\AppData\Roaming\GamePall

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_mainLog.txt
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Mutant created: \Sessions\1\BaseNamedObjects\C__Users_user_AppData_Roaming_GamePall_Logs_rendLog.txt

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

File created: C:\Users\user\AppData\Local\Temp\nsfF921.tmp

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	ReversingLabs: Detection: 18%
Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Virustotal: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mdmregistration.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: omadmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iri.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscms.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: coloradapterclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mfplat.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: chrome_elf.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Section loaded: windows.storage.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\setup.exe

Registry value created: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GamePall

Jump to behavior

Source: SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdb source: widevinecdmadapter.dll.6.dr
Source:	Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.6.dr
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdbH source: GamePall.exe, 00000007.00000000.3508047574.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: e:\work\newContent\secondBranch\new\GamePall\obj\Release\GamePall.pdb source: GamePall.exe, 00000007.00000000.3508047574.0000000000A02000.00000002.00000001.01000000.0000000A.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdb source: GamePall.exe, GamePall.exe, 00000009.00000002.3567364533.0000000005D12000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.6.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdbLK source: GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: E:\work\newContent\secondBranch\cefglue-main\CefGlue\obj\Release\net40\Xilium.CefGlue.pdbSHA256 source: GamePall.exe, 00000009.00000002.3567364533.0000000005D12000.00000002.00000001.01000000.0000000D.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\chrome_elf.dll.pdb source: GamePall.exe, 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: Y:\work\CEF3_git\chromium\src\out\Release_GN_x86\WidevineCdm\_platform_specific\win_x86\widevinecdmadapter.dll.pdbGCTL source: widevinecdmadapter.dll.6.dr
Source:	Binary string: c:\log4net\tags\2.0.8RC1\bin\net\4.0\release\log4net.pdb source: GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp
Source:	Binary string: `OTHER`TEMP`PACKED<%s return value>hlslFlagshlslTargethlslEntryhlslDefinesinternal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.6.dr

Source: Newtonsoft.Json.dll.6.dr

Static PE information: 0xF68F744F [Mon Jan 31 06:35:59 2101 UTC]

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608C61B0 __Init_thread_header,LoadLibraryW,GetProcAddress,

9_2_608C61B0

Source: chrome_elf.dll.6.dr	Static PE information: section name: .00cfg
Source: chrome_elf.dll.6.dr	Static PE information: section name: .crthunk
Source: chrome_elf.dll.6.dr	Static PE information: section name: CPADinfo
Source: chrome_elf.dll.6.dr	Static PE information: section name: malloc_h
Source: libEGL.dll.6.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.6.dr	Static PE information: section name: .00cfg
Source: libcef.dll.6.dr	Static PE information: section name: .00cfg
Source: libcef.dll.6.dr	Static PE information: section name: .rodata
Source: libcef.dll.6.dr	Static PE information: section name: CPADinfo
Source: libcef.dll.6.dr	Static PE information: section name: malloc_h

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DE38B push ecx; ret	9_2_608DE39E
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60867C10 push 89084589h; iretd	9_2_60867C15
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 11_2_0131AF90 push esi; ret	11_2_0131AFE3
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 11_2_0131AE97 push edi; ret	11_2_0131AE9B

Source: Ionic.Zip.dll.6.dr

Static PE information: section name: .text entropy: 6.821349263259562

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	File created: C:\Users\user\AppData\Local\Temp\setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	File created: C:\Users\user\AppData\Local\Temp\nskF942.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	File created: C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	File created: C:\Users\user\AppData\Local\Temp\nskF942.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	File created: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run GamePall			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2BC0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2990000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1680000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3270000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 30D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1310000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 11C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2B20000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1850000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 33E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 31F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2FA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 31E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2210000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 43E0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: BA0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 26A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 46A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3020000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1130000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1380000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4E20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2630000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4700000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: DB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2860000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 25B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 14F0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3300000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1620000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3230000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1750000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2290000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 24B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 23B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: A90000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4690000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1370000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4D50000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 3220000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 32A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 52A0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: F10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2CB0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2AD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: C10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 4560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1400000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2E60000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 1430000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: DD0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2A20000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: F00000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: C30000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 29C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 49C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 13B0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2DE0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Memory allocated: 2C10000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608BE130 rdtsc

9_2_608BE130

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libcef.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\log4net.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Del.exe	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskF942.tmp\blowfish.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskF942.tmp\nsProcess.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\setup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	Jump to dropped file

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

API coverage: 3.7 %

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe TID: 1232

Thread sleep time: -600000s >= -30000s

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092EA80 FindFirstFileExW,	9_2_6092EA80
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608FF3F7 FindFirstFileExW,FindNextFileW,FindClose,FindClose,	9_2_608FF3F7
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608FF346 FindFirstFileExW,	9_2_608FF346
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6092F490 FindFirstFileExW,	9_2_6092F490

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_60874D80 GetSystemInfo,GetSystemInfo,

9_2_60874D80

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Thread delayed: delay time: 600000

Jump to behavior

Source: GamePall.exe, 00000007.00000002.3718039617.00000000011E7000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll_

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608BE130 rdtsc

9_2_608BE130

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608FB5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

9_2_608FB5D6

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608C61B0 __Init_thread_header,LoadLibraryW,GetProcAddress,

9_2_608C61B0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DE18A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_608DE18A
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_60923120 GetCurrentProcessId,SetUnhandledExceptionFilter,AddVectoredExceptionHandler,	9_2_60923120
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608FB5D6 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_608FB5D6
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_6088BC40 GetCurrentProcessId,CreateEventW,CreateEventW,CreateEventW,CreateEventW,SetUnhandledExceptionFilter,AddVectoredExceptionHandler,CreateThread,	9_2_6088BC40
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: 9_2_608DDC6C IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_608DDC6C

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3860 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3964 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866609478 --mojo-platform-channel-handle=4028 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866677761 --mojo-platform-channel-handle=4140 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --gpu-preferences=waaaaaaaaadgaaamaaaaaaaaaaaaaaaaaabgaaaaaaa4aaaaaaaaaaaaaaaeaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaagaaaaaaaaaayaaaaaaaaaagaaaaaaaaacaaaaaaaaaaiaaaaaaaaaa== --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=storage.mojom.storageservice --lang=en-us --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3860 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-us --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --lang=en-us --user-data-dir="c:\users\user\appdata\local\cef\user data" --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --mojo-platform-channel-handle=3964 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:8	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --first-renderer-process --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866609478 --mojo-platform-channel-handle=4028 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Process created: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe "c:\users\user\appdata\roaming\gamepall\gamepall.exe" --type=renderer --log-severity=disable --user-agent="mozilla/5.0 (iphone; cpu iphone os 17_5 like mac os x) applewebkit/605.1.15 (khtml, like gecko) crios/128.0.6613.92 mobile/15e148 safari/604.1" --user-data-dir="c:\users\user\appdata\local\cef\user data" --no-sandbox --log-file="c:\users\user\appdata\roaming\gamepall\debug.log" --lang=en-us --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866677761 --mojo-platform-channel-handle=4140 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=backforwardcache,calculatenativewinocclusion,documentpictureinpictureapi /prefetch:1	Jump to behavior

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608A40D0 cpuid

9_2_608A40D0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,	9_2_608FA48C
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	9_2_608FE797
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: EnumSystemLocalesW,	9_2_608FA9CD
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: EnumSystemLocalesW,	9_2_608FE9E8
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	9_2_608FEA90
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: EnumSystemLocalesW,	9_2_608FECE3
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,	9_2_608FED50
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: EnumSystemLocalesW,	9_2_608FEE25
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,	9_2_608FEE70
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	9_2_608FEF17
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Code function: GetLocaleInfoW,	9_2_608FF01D

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\log4net.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	Queries volume information: C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_6089B950 VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,CreateNamedPipeW,

9_2_6089B950

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_6090E1E0 GetSystemTimePreciseAsFileTime,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,

9_2_6090E1E0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_60901085 GetTimeZoneInformation,

9_2_60901085

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Code function: 9_2_608BCBD0 __Init_thread_header,GetVersionExW,GetProductInfo,__Init_thread_header,GetNativeSystemInfo,

9_2_608BCBD0

Source: C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Command and Scripting Interpreter	1 Windows Service	1 Windows Service	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Disable or Modify Tools	LSASS Memory	21 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	12 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	41 Obfuscated Files or Information	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Software Packing	DCSync	35 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Timestomp	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 DLL Side-Loading	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	18%	ReversingLabs
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	22%	Virustotal		Browse
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	100%	Avira	HEUR/AGEN.1359405

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Local\Temp\setup.exe	100%	Avira	HEUR/AGEN.1359405
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\GamePall\Del.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat	8%	ReversingLabs	Win32.Backdoor.Generic
C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskF942.tmp\blowfish.dll	5%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nskF942.tmp\nsProcess.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\setup.exe	8%	ReversingLabs	Win32.Backdoor.Generic
C:\Users\user\AppData\Roaming\GamePall\Del.exe	7%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\GamePall.exe	5%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\libcef.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\log4net.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
https://support.google.com/chrome/answer/6098869	0%	URL Reputation	safe
http://www.unicode.org/copyright.html	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://www.apache.org/licenses/LICEN	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=teCtrl$1	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.html	0%	Avira URL Cloud	safe
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=hiCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=mlCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ru&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICEN	0%	Virustotal		Browse
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=ru&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.html	1%	Virustotal		Browse
https://chrome.google.com/webstore?hl=thCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=es-419Ctrl$1	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGerenciado	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=etCtrl$1	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=itCtrl$1	0%	Avira URL Cloud	safe
http://api.install-stat.debug.world/clients/activity	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity	0%	Avira URL Cloud	safe
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
http://www.apache.org/).	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGerenciado	0%	Virustotal		Browse
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity	0%	Virustotal		Browse
https://myactivity.google.com/	0%	Avira URL Cloud	safe
http://api.install-stat.debug.world/clients/activity	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	Avira URL Cloud	safe
https://passwords.google.com	0%	Avira URL Cloud	safe
http://www.apache.org/).	0%	Virustotal		Browse
https://photos.google.com/settings?referrer=CHROME_NTP	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged	1%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	Virustotal		Browse
https://policies.google.com/	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	Virustotal		Browse
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Avira URL Cloud	safe
https://passwords.google.com	0%	Virustotal		Browse
http://logging.apache.org/log4ne	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=pt-BRCtrl$1	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/LICENSE-2.0	0%	Avira URL Cloud	safe
https://myactivity.google.com/	0%	Virustotal		Browse
https://policies.google.com/	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	Avira URL Cloud	safe
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlP&omo	1%	Virustotal		Browse
http://www.apache.org/licenses/LICENSE-2.0	0%	Virustotal		Browse
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	Virustotal		Browse
https://passwords.google.comCuenta	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlP&omo	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore/category/extensions	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=idCtrl$1	0%	Avira URL Cloud	safe
https://support.google.com/chromebook?p=app_intent	0%	Avira URL Cloud	safe
http://jiugeyou.bond0	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlDikelola	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ruCtrl$1	0%	Avira URL Cloud	safe
http://www.apache.org/licenses/	0%	Virustotal		Browse
https://www.google.com/chrome/privacy/eula_text.htmlDikelola	1%	Virustotal		Browse
https://support.google.com/chromebook?p=app_intent	0%	Virustotal		Browse
https://passwords.google.comConta	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://passwords.google.comGoogle	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore/category/extensions	0%	Virustotal		Browse
https://chrome.google.com/webstore?hl=hrCtrl$1	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.html&	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
http://api.install-stat.debug.world/clients/installs0	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	Avira URL Cloud	safe
http://api.install-stat.debug.world/clients/activity0	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=ukCtrl$1	0%	Avira URL Cloud	safe
http://api.install-stat.debug.world/clients/installs	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	0%	Avira URL Cloud	safe
http://jiugeyou.bond	0%	Avira URL Cloud	safe
https://support.google.com/chrome/a/answer/9122284	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=enCtrl$1	0%	Avira URL Cloud	safe
http://glokh.com/22_556/huge.dat	0%	Avira URL Cloud	safe
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	0%	Avira URL Cloud	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	0%	Avira URL Cloud	safe
https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado	0%	Avira URL Cloud	safe
https://passwords.google.comAkun	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://chrome.google.com/webstore?hl=teCtrl$1	te.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://svn.apache.org/repos/asf/logging/log4net/tags/2.0.8RC1	GamePall.exe, GamePall.exe, 00000009.00000002.3566507407.00000000051F6000.00000002.00000001.01000000.0000000C.sdmp, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=hiCtrl$1	hi.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICEN	GamePall.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.google.com/chrome/answer/6098869	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr	false	URL Reputation: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html	th.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, uk.pak.6.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.unicode.org/copyright.html	icudtl.dat.6.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=mlCtrl$1	ml.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ru&category=theme81https://myactivity.google.com/myactivity/?u	ru.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=es-419Ctrl$1	es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=thCtrl$1	th.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlA&judaGerenciado	pt-BR.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4net/release/faq.html#trouble-EventLog	GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u	et.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=etCtrl$1	et.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=itCtrl$1	it.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://api.install-stat.debug.world/clients/activity	GamePall.exe, 00000009.00000002.3564510429.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000A.00000002.3628668214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=pt-BR&category=theme81https://myactivity.google.com/myactivity	pt-BR.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u	te.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/).	GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://photos.google.com/settings?referrer=CHROME_NTP	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://myactivity.google.com/	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlH&elpManaged	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=it&category=theme81https://myactivity.google.com/myactivity/?u	it.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.com	th.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://policies.google.com/	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u	th.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://logging.apache.org/log4ne	GamePall.exe	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=pt-BRCtrl$1	pt-BR.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://passwords.google.comCuenta	es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlP&omo	hr.pak.6.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=idCtrl$1	id.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore/category/extensions	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://jiugeyou.bond0	GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chromebook?p=app_intent	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlDikelola	id.pak.6.dr	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/	GamePall.exe, GamePall.exe, 00000009.00000002.3566365047.00000000051B2000.00000002.00000001.01000000.0000000C.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit	es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u	ml.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=ruCtrl$1	ru.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://passwords.google.comConta	pt-BR.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=en&category=theme81https://myactivity.google.com/myactivity/?u	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://passwords.google.comGoogle	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, en-US.pak.6.dr, it.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=hrCtrl$1	hr.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html&	ru.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u	hi.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://api.install-stat.debug.world/clients/installs0	GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlG&uidaGestito	it.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=id&category=theme81https://myactivity.google.com/myactivity/?u	id.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlA&biHaldab	et.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u	hr.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://api.install-stat.debug.world/clients/activity0	GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=ukCtrl$1	uk.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://api.install-stat.debug.world/clients/installs	GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://jiugeyou.bond	GamePall.exe, 00000009.00000002.3564510429.0000000002BC1000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000A.00000002.3628668214.0000000003271000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000D.00000002.3625469037.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, GamePall.exe, 0000000F.00000002.3735139731.00000000033E1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/a/answer/9122284	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, it.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=enCtrl$1	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, en-US.pak.6.dr	false	Avira URL Cloud: safe	unknown
http://glokh.com/22_556/huge.dat	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe, 00000001.00000003.2466025557.0000000003040000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=uk&category=theme81https://myactivity.google.com/myactivity/?u	uk.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	GamePall.exe, 00000009.00000002.3566916334.0000000005630000.00000002.00000001.00040000.00000016.sdmp, et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr, pt-BR.pak.6.dr, en-US.pak.6.dr, uk.pak.6.dr, ru.pak.6.dr, id.pak.6.dr, it.pak.6.dr, es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlA&yudaAdministrado	es-419.pak.6.dr	false	Avira URL Cloud: safe	unknown
https://passwords.google.comAkun	id.pak.6.dr	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.90.238	unknown	United States		13335	CLOUDFLARENETUS	false
185.117.88.39	unknown	Netherlands		42708	PORTLANEwwwportlanecomSE	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1503237
Start date and time:	2024-09-03 08:29:31 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@76/108@0/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 99% Number of executed functions: 103 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Execution Graph export aborted for target GamePall.exe, PID 1924 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 3636 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 3796 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 4288 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 4892 because it is empty
Execution Graph export aborted for target GamePall.exe, PID 612 because it is empty
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
02:32:30	API Interceptor	1x Sleep call for process: GamePall.exe modified
08:32:28	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
08:32:39	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run GamePall C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
185.117.88.39	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	8ubQTzsAqG.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1343277.15996.11306.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PORTLANEwwwportlanecomSE	MACHINE_SPECIFICATION.js	Get hash	malicious	WSHRat	Browse	46.246.84.83
	HDKuOe.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	HDKuOe.exe	Get hash	malicious	Unknown	Browse	185.117.88.39
	sora.mpsl.elf	Get hash	malicious	Mirai	Browse	5.254.217.95
	Requerimiento_Juridico_Proferido_N#U00b0_437361838..exe	Get hash	malicious	AsyncRAT, DcRat	Browse	46.246.80.9
	chrome.exe	Get hash	malicious	Unknown	Browse	46.246.120.178
	PURCHASE_ORDER.js	Get hash	malicious	AsyncRAT	Browse	46.246.14.66
	Ref_87021929821US20240709031221656.js	Get hash	malicious	Nanocore	Browse	46.246.14.67
	qZvaZQbxa5.exe	Get hash	malicious	XWorm	Browse	46.246.4.9
	WQfmuMk5HB.exe	Get hash	malicious	XWorm	Browse	46.246.4.9
CLOUDFLARENETUS	SOCRETAS GRAECIA VSL's PARTICULARS.pdf.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	LYONSOFT, COOP.V. - Env#U00edo orden 240187 fecha 02-09-2024.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PO 4555131028.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://piclut.com/n//?c3Y9bzM2NV8xX29uZSZyYW5kPWRHcFdjMk09JnVpZD1VU0VSMjkwNzIwMjRVMTgwNzI5MDA=	Get hash	malicious	Unknown	Browse	104.21.92.125
	SecuriteInfo.com.Win32.PWSX-gen.14960.5907.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	avanss.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	umbralstealer.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	162.159.130.233
	BTC.exe	Get hash	malicious	AsyncRAT, Rezlt, StormKitty, VenomRAT, Vermin Keylogger, WorldWind Stealer, XWorm	Browse	172.67.196.114
	FATT. N. 2563 DEL 30.08.2024 Antincendi Marche S.r.l..exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	mSpv.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	LXbM8RbhLa.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	HDKuOe.exe	Get hash	malicious	Unknown	Browse
	LisectAVT_2403002B_95.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse
	file.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	5GOuTtZoQn.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse
	JuHVfiAuLo.exe	Get hash	malicious	LummaC, Poverty Stealer, SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107107091
Entropy (8bit):	7.999926944050585
Encrypted:	true
SSDEEP:	3145728:9xNatfm+qgNdi6Dx9j8xOaspSz6jcLkVVvOjp:9Lat+tYI6jjnJpSz6jTWjp
MD5:	2B4BA70B5C6115ADD73FDEF28AAEAA8A
SHA1:	7E2264C7AED8F051F681AD1E78F263606351AA66
SHA-256:	D817589B822C458C17C2EE6C0ED4791930B86BBCDDDD103F6556B428B7E1DDDF
SHA-512:	964F2062EDE187CE78044DE76A13B927D20B37B06A736F8834F48135B368D298727FC98B5B8C5E5839AF7F38ACFCD99337904987A8912D3D4A0C23C1256691AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	82944
Entropy (8bit):	6.389604568119155
Encrypted:	false
SSDEEP:	1536:Dli3i1jKfTV0LzYpAzMk2nACScLw5jPAT:j9KLQ+ScLw5jPAT
MD5:	165E1EF5C79475E8C33D19A870E672D4
SHA1:	965F02BFD103F094AC6B3EEF3ABE7FDCB8D9E2A5
SHA-256:	9DB9C58E44DFF2D985DC078FDBB7498DCC66C4CC4EB12F68DE6A98A5D665ABBD
SHA-512:	CD10EAF0928E5DF048BF0488D9DBFE9442E2E106396A0967462BEF440BF0B528CDF3AB06024FB6FDAF9F247E2B7F3CA0CEA78AFC0CE6943650EF9D6C91FEE52A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HDKuOe.exe, Detection: malicious, Browse Filename: HDKuOe.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse Filename: JuHVfiAuLo.exe, Detection: malicious, Browse Filename: LXbM8RbhLa.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........W=.e9n.e9n.e9n...n.e9n...n.e9n..Bn.e9n.e8n.e9n.7.n.e9n...n.e9n...n.e9n...n.e9nRich.e9n........PE..L...,.N...........!.........^.......%...............................................3..................................`...$'..d....`.......................p...................................... ...@...............h............................text...1........................... ..`.rdata..P/.......0..................@..@.data........0......................@....rsrc........`.......*..............@..@.reloc.......p.......,..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22016
Entropy (8bit):	5.668346578219837
Encrypted:	false
SSDEEP:	384:VpOSdCjDyyvBwRlX+ODbswYM2s74NS0v0Ac9khYLMkIX0+Gzyekx:rdCjW/lX1PfYM2X1
MD5:	92EC4DD8C0DDD8C4305AE1684AB65FB0
SHA1:	D850013D582A62E502942F0DD282CC0C29C4310E
SHA-256:	5520208A33E6409C129B4EA1270771F741D95AFE5B048C2A1E6A2CC2AD829934
SHA-512:	581351AEF694F2489E1A0977EBCA55C4D7268CA167127CEFB217ED0D2098136C7EB433058469449F75BE82B8E5D484C9E7B6CF0B32535063709272D7810EC651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HDKuOe.exe, Detection: malicious, Browse Filename: HDKuOe.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_95.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 5GOuTtZoQn.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.Trojan.FWF.gen.Eldorado.15788.4670.exe, Detection: malicious, Browse Filename: JuHVfiAuLo.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9<.EXR.EXR.EXR.b.).LXR.EXS..XR.b. .FXR.b.(.DXR.b...DXR.b.*.DXR.RichEXR.................PE..L....I6V...........!.....8...P......Q?.......P...................................................................... G..l....?..d.......(...............................................................................P............................text....7.......8.................. ..`.data...<<...P.......<..............@....rsrc...(............D..............@..@.reloc...............N..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskF942.tmp\blowfish.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22528
Entropy (8bit):	6.674611218414922
Encrypted:	false
SSDEEP:	384:yTxz0Cv0hqd+1TjQmd9YWrSUEc//////OD5hF92IJpJgLa0MpoYfAz6S:jCvsqdS3QGBREc//////Q53NgLa1ub
MD5:	5AFD4A9B7E69E7C6E312B2CE4040394A
SHA1:	FBD07ADB3F02F866DC3A327A86B0F319D4A94502
SHA-256:	053B4487D22AACF8274BAB448AE1D665FE7926102197B47BFBA6C7ED5493B3AE
SHA-512:	F78EFE9D1FA7D2FFC731D5F878F81E4DCBFAF0C561FDFBF4C133BA2CE1366C95C4672D67CAE6A8BD8FCC7D04861A9DA389D98361055AC46FC9793828D9776511
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................6..........dD.......P....@.....................................................................Y.......................................p...................................................................................CODE....\|4.......6.................. ..`DATA....8....P.......:..............@...BSS..........p.......L...................idata...............L..............@....edata..Y............P..............@..P.reloc..p............R..............@..P.rsrc................V..............@..P.....................X..............@..P................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nskF942.tmp\nsProcess.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4608
Entropy (8bit):	4.666004851298707
Encrypted:	false
SSDEEP:	48:iYXzAm8HGJLvwM8GJFd6I7W4JtT2bxNNAa4GsNf+CJ8aYqmtlKdgAtgma1QvtCSJ:lz2mJkpGR6GY74GQ1YqmstgGCtR
MD5:	FAA7F034B38E729A983965C04CC70FC1
SHA1:	DF8BDA55B498976EA47D25D8A77539B049DAB55E
SHA-256:	579A034FF5AB9B732A318B1636C2902840F604E8E664F5B93C07A99253B3C9CF
SHA-512:	7868F9B437FCF829AD993FF57995F58836AD578458994361C72AE1BF1DFB74022F9F9E948B48AFD3361ED3426C4F85B4BB0D595E38EE278FEE5C4425C4491DBF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n\|f.L...I...Q...@..K...@..H...@..H...RichI...........PE..L...`..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..\|.................................................... ..`............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\setup.exe

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	107107091
Entropy (8bit):	7.999926944050585
Encrypted:	true
SSDEEP:	3145728:9xNatfm+qgNdi6Dx9j8xOaspSz6jcLkVVvOjp:9Lat+tYI6jjnJpSz6jTWjp
MD5:	2B4BA70B5C6115ADD73FDEF28AAEAA8A
SHA1:	7E2264C7AED8F051F681AD1E78F263606351AA66
SHA-256:	D817589B822C458C17C2EE6C0ED4791930B86BBCDDDD103F6556B428B7E1DDDF
SHA-512:	964F2062EDE187CE78044DE76A13B927D20B37B06A736F8834F48135B368D298727FC98B5B8C5E5839AF7F38ACFCD99337904987A8912D3D4A0C23C1256691AF
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 8%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	modified
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNleBA8l:Ls3e
MD5:	F0E899D2559811344630C29567FE4882
SHA1:	CA1D358CB82791E9767D145A7B31B088D1925152
SHA-256:	61D419664407347B09667D4787593D4EED9F834EB7EBC7733E2456F85FA77661
SHA-512:	19293291FB76CDD66952CBFADB631897100825EED386967741254ABC41E85B9F991370900FB28670060F5837C9062F976E93AC66DCCB7BC5511FCD769303E620
Malicious:	false
Preview:	........................................a.$.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Del.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	4.622398838808078
Encrypted:	false
SSDEEP:	96:QPjzIyfbInD3W0IwrBmEH7UewW4ORIhmY5XO40uK8DDzNt:pQIS0IwrJbU7W4kIX5e4kgF
MD5:	97D4D47D539CB8171BE2AEFD64C6EBB1
SHA1:	44ABF82DD553CCE0C1F41B9B78D853075DDD1F16
SHA-256:	8D996D5F68BF2248F223C4F3549303BC6A8EC58CC97FCB63B7BB7D8068850273
SHA-512:	7D402847B093E208410C695095DE815A3F5D5DA81630FD51C88C009C48C269D0EA5016D626351BB9D38862163FAD930645072C50ACCCD743DC0E19531A592FDE
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 7%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&.].........."...0.............64... ...@....@.. ....................................@..................................3..O....@.......................`.......2............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H........#...............1...............................................0..-.......(....r...p(.....(.......(....,...(....(........0..T........~....(.....~....(.....(....s....%.o....%.o....%.o....%.o....%~....o....(....&..&..........PP.......0..6.......(....(......( ...r...p~....r...p(!.....("...,...(#......0..........r...p.~$.....o%.....,..~....o&......,..o'....ra..p.~$.....o%.....,..~....o(......,..o'....r...p.~$.....o%.....,..~....o(......,..o'......&..*....4.......#..

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 512, next free block index 3284796609, field type 0
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.01057775872642915
Encrypted:	false
SSDEEP:	3:MsFl:/F
MD5:	CF89D16BB9107C631DAABF0C0EE58EFB
SHA1:	3AE5D3A7CF1F94A56E42F9A58D90A0B9616AE74B
SHA-256:	D6A5FE39CD672781B256E0E3102F7022635F1D4BB7CFCC90A80FFFE4D0F3877E
SHA-512:	8CB5B059C8105EB91E74A7D5952437AAA1ADA89763C5843E7B0F1B93D9EBE15ED40F287C652229291FAC02D712CF7FF5ECECEF276BA0D7DDC35558A3EC3F77B0
Malicious:	false
Preview:	............$...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012096502606932763
Encrypted:	false
SSDEEP:	3:MsEllllkXl:/M/6
MD5:	259E7ED5FB3C6C90533B963DA5B2FC1B
SHA1:	DF90EABDA434CA50828ABB039B4F80B7F051EC77
SHA-256:	35BB2F189C643DCF52ECF037603D104035ECDC490BF059B7736E58EF7D821A09
SHA-512:	9D401053AC21A73863B461B0361DF1A17850F42FD5FC7A77763A124AA33F2E9493FAD018C78CDFF63CA10F6710E53255CE891AD6EC56EC77D770C4630F274933
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.011852361981932763
Encrypted:	false
SSDEEP:	3:MsHlDll:/H
MD5:	0962291D6D367570BEE5454721C17E11
SHA1:	59D10A893EF321A706A9255176761366115BEDCB
SHA-256:	EC1702806F4CC7C42A82FC2B38E89835FDE7C64BB32060E0823C9077CA92EFB7
SHA-512:	F555E961B69E09628EAF9C61F465871E6984CD4D31014F954BB747351DAD9CEA6D17C1DB4BCA2C1EB7F187CB5F3C0518748C339C8B43BBD1DBD94AEAA16F58ED
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	data
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	0.012340643231932763
Encrypted:	false
SSDEEP:	3:MsGl3ll:/y
MD5:	41876349CB12D6DB992F1309F22DF3F0
SHA1:	5CF26B3420FC0302CD0A71E8D029739B8765BE27
SHA-256:	E09F42C398D688DCE168570291F1F92D079987DEDA3099A34ADB9E8C0522B30C
SHA-512:	E9A4FC1F7CB6AE2901F8E02354A92C4AAA7A53C640DCF692DB42A27A5ACC2A3BFB25A0DE0EB08AB53983132016E7D43132EA4292E439BB636AAFD53FB6EF907E
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

Download File

Process:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
File Type:	FoxPro FPT, blocks size 768, next free block index 3284796353, field type 0
Category:	dropped
Size (bytes):	262512
Entropy (8bit):	9.553120663130604E-4
Encrypted:	false
SSDEEP:	3:LsNlciT:Ls3TT
MD5:	DCEC1DCD30C129B0475A2307853C095A
SHA1:	061946D2510A3C933F71582CD547CCD2E41F8F06
SHA-256:	E0F89EFCC33D522BF5996B516859699F41608D9FED935DFE1F618F6A176D2C3B
SHA-512:	3A92E802CF5046E0A8B352A22F2276EFA5AE4058A23A6C7F2D7DB4DD7A281C520EFF8EAFC5CFEECE46AA5C728C1BE63801200605E0A081289C922AE5630D3FE5
Malicious:	false
Preview:	.........................................c#.../.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	187392
Entropy (8bit):	4.5816933981574515
Encrypted:	false
SSDEEP:	3072:MTpj4ZerRgvmHMaeBlnhblkKqo4z2h88HV:spuARsg1etbq2a8H
MD5:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
SHA1:	DA03DE3ABEC590F957B282E3EE8D404C7859D040
SHA-256:	E13FD38426C94F2F72E7560E379C74FA1E7C365574EB14D30183F2CCCEC01F76
SHA-512:	226C9AB2E156EED32ED05F50B7711CC19C1920AE3E3FA093234FB24EE2B8687754099EE0571A987D2F640199353587FC599BE07D0E175938C7FB0DB784585C75
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 5%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0.............r.... ........@.. .......................@............@................................. ...O.......D.................... ...................................................... ............... ..H............text........ ...................... ..`.rsrc...D...........................@..@.reloc....... ......................@..B................T.......H....... ...X...........x...p............................................(....s....Z..(....,...(....(.....(......(......(............~........0..W.......(....".....(......,..o....-...o.....+...( .....o....&..(!...-...........o"....."...BZ.......%..A.......0..Q.......(....(........,..o....-...o.....+...( .....o....&.._...(!...-...........o"..............!. A.......0..V.......(....(......,..o....-.~#.....o.....+...( ...."...B[..o....&..(!...-...........o"....*......

C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	462336
Entropy (8bit):	6.803831500359682
Encrypted:	false
SSDEEP:	6144:leSYvQAd10GtSV41OJDsTDDVUMle6ZjxLV/rHo0Oaaz2R9IY:oJBdBS4msNUCe65frHMnz2R9
MD5:	6DED8FCBF5F1D9E422B327CA51625E24
SHA1:	8A1140CEBC39F6994EEF7E8DE4627FB7B72A2DD9
SHA-256:	3B3E541682E48F3FD2872F85A06278DA2F3E7877EE956DA89B90D732A1EAA0BD
SHA-512:	BDA3A65133B7B1E2765C7D07C7DA5103292B3C4C2F0673640428B3E7E8637B11539F06C330AB5D0BA6E2274BD2DCD2C50312BE6579E75C4008FF5AE7DAE34CE4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....=N...........!................N#... ...@....@.. ..............................T.....@.................................."..O....@..P....................`......."............................................... ............... ..H............text...T.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................0#......H.......0U..l...........P%.../..P ......................................6..`N.?O...%.C.k_..d...I......5a.......9x......R...gg8...JM...`.[. .o..eE1$_.M.h.q.oz..1..........@....s.c/J..wk.D.....t..&...(.......0..2........r...p(....}.......}"....(........(.........(......r...p(....}.......}"....(........(......0..j.........o....-..s#...+..}......(......(......}.....(....s....}......}......}......(......%-.&r...p}......j(#...rr!..p.{.....{.....B...(....*..0..A........{..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	574376
Entropy (8bit):	5.8881470355864725
Encrypted:	false
SSDEEP:	12288:ZzfhypmNGgHA37YyUD1AboTf3xnpJbC8VGSBJjRuz7:ZoI1AbQf3xnpJbC8VLBJjRuz7
MD5:	8F81C9520104B730C25D90A9DD511148
SHA1:	7CF46CB81C3B51965C1F78762840EB5797594778
SHA-256:	F1F01B3474B92D6E1C3D6ADFAE74EE0EA0EBA6E9935565FE2317686D80A2E886
SHA-512:	B4A66389BF06A6611DF47E81B818CC2FCD0A854324A2564A4438866953F148950F59CD4C07C9D40CC3A9043B5CE12B150C8A56CCCDF98D5E3F0225EDF8C516F3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ot............" ..0.............6.... ........... ....................................@....................................O.......................................T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........f...P............................................................(......(....^.(...........%...}....:.(......}....:.(......}......(....:.(......}......{......(......(....:.(......}......{.....(.............}.....(......{.....X.....}......0...........-.~.....~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{E....3...{D......(....,...{D.....{F.......-.....0...........-.r...ps....z.o......-.~.....~....X...+....b..

C:\Users\user\AppData\Roaming\GamePall\Newtonsoft.Json.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	561424
Entropy (8bit):	4.606896607960262
Encrypted:	false
SSDEEP:	6144:XqqUmk/Rik2rH6dl0/IaHNpOVIeR0R+CRFo9TA82m5Kj+sJjoqoyO185QyMYFLse:DUK
MD5:	928ED37DB61C1E98A2831C8C01F6157C
SHA1:	98103C2133EBDA28BE78BFE3E2D81D41924A23EE
SHA-256:	39F6A4DB1BE658D6BAFF643FA05AAE7809139D9665475BFCA10D37DCA3384F21
SHA-512:	F59387BFA914C7DB234161E31AD6075031ACA17AAEF4B8D4F4B95C78C7A6A8D0E64211566CA2FD4549B9DA45231F57A4191FBCD3809404653F86EE2ABD4937A4
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>Newtonsoft.Json</name>.. </assembly>.. <members>.. <member name="T:Newtonsoft.Json.Bson.BsonObjectId">.. <summary>.. Represents a BSON Oid (object id)... </summary>.. </member>.. <member name="P:Newtonsoft.Json.Bson.BsonObjectId.Value">.. <summary>.. Gets or sets the value of the Oid... </summary>.. <value>The value of the Oid.</value>.. </member>.. <member name="M:Newtonsoft.Json.Bson.BsonObjectId.#ctor(System.Byte[])">.. <summary>.. Initializes a new instance of the <see cref="T:Newtonsoft.Json.Bson.BsonObjectId"/> class... </summary>.. <param name="value">The Oid value.</param>.. </member>.. <member name="T:Newtonsoft.Json.Bson.BsonReader">.. <summary>.. Represents a reader that provides fast, non-cached, forward-only access to s

C:\Users\user\AppData\Roaming\GamePall\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	116540
Entropy (8bit):	4.480514158916431
Encrypted:	false
SSDEEP:	1536:lFiFMVzRtVXmqpScuHEMVScrgX8H0LeAyNl/cApnM:lFi6z/VXzAf3ocr68H4eAuZe
MD5:	DB2D869947AF135C1E8F341C7BA9E77F
SHA1:	6B5A54803C1A738C54B0004CBC9252E241ADC8F7
SHA-256:	F5102BDB653D86FBDAA604702F7597C967DD685AA7CBBEA8F11167E332905690
SHA-512:	5AB69B68B841B2712BDA845A608DFA015A03F3ED91526E7EA9AE5E24B11972E503843299F59CAB3C3CF64AFFB3365C548D557E2A9610481996AF3052C25C0C7B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG.sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@.......................... ............@.................................8............8...........................................................................................................text....c.......d.................. ..`.rdata..v............h..............@..@.data...X............\|..............@....ndata.......P...........................rsrc....8.......:..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\Xilium.CefGlue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	875520
Entropy (8bit):	5.621956468920589
Encrypted:	false
SSDEEP:	12288:jsRfnBqqvFXWesd2HiZ9fyn+5FHrvUR1Qnzx7LuQ:jsRITeWAQ5vtu
MD5:	B03C7F6072A0CB1A1D6A92EE7B82705A
SHA1:	6675839C5E266075E7E1812AD8E856A2468274DD
SHA-256:	F561713347544E9D06D30F02A3DFCEC5FE593B38894593AEEDF5700666B35027
SHA-512:	19D6792EB9BA8584B94D0D59E07CE9D1C9C4DA5516490F4ABCE5AE0D7D55B357BDA45B2093B3E9EB9D6858061E9D3F530A6655C4779A50C911501AE23925C566
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..R...........p... ........... ....................................@..................................p..O.......x............................o..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc...x............T..............@..@.reloc...............Z..............@..B.................p......H....... .................................................................(......(......(....^.(.......=...%...}....:.(......}....:.(......}....^.(.......>...%...}....:.(......}.....(.............0..,.......(....o.......3......... ....3.(....-.....0..L.......~..... . ..(......(....-..(....r...p( ...,.......&...~....(!...,..("..............+1...........4.......~.....~......(.....~....,..(#...-.(....-..(....+.r...ps$...z(..........b.r...p(%...~.....(....&*.r

C:\Users\user\AppData\Roaming\GamePall\cef.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1946739
Entropy (8bit):	7.989700491058983
Encrypted:	false
SSDEEP:	49152:fpXzD2VLpS71ycdao6LreGCL/0jJZWOiBiXkbEia9T:xjyFgZ0Lr2/0jJU5BiIEN
MD5:	96AD47D78A70B33158961585D9154ECC
SHA1:	149BF6F6905A76B0CC9E9ACA580357BD6C3497A2
SHA-256:	C861117D1F1DBF02867B46FA87CB8C65C3213D196029EE81A02B617D131236E2
SHA-512:	6A971F742B5754EEF39C6C2C64DB13DFDCB74D8CB23833404E9EF5AD89E142278E5DF789F508DB561C5E957013AE0C60D002CDFA93BCD87CA4967D610DF1579B
Malicious:	false
Preview:	........V...f.....g.7........................!.....%....o8...).>...).F...).H...).X...).a...)i...).k...).q...)Lt...).v...)Tw...).x...).}...).....)I....)i....)....).....).....)L....)....)....)t....).....).....).....)s....).... )....!)....")....#)....$)}...%)+...&)h#..').'..().-..)).>..).A..+).C..,).Q..-)CU...).]..<).d..=).l..>)i...?)G...@)H...A)r...B)....C)z...T)....U)....V)+...W)....X)....Y)....Z)....[)#...\)}...]).!..^)R1.._).2..`).;..a).=..b)mE..c)QG..d).H..e)qL..f).U..g).]..h).b..i))d..j).e..k).g..l)Pi..m).p..n).z..s).z...).....)b....).....)'....).....)....)....).....).....)....).....)s....)F....)j....)....).....)....)....)....)h....)H....)....).....).....)k....).....)L....)q....)2....).....).....).....).....).....)N....)\|....).....).....).....).!...).)...).6...).C...)RE...).L...).N...).O...).U...)bV...).W...).^...)o_...)(g...)Si...).v...).....)0....)/....).....),....)..........F....]....3....v........v...................$... ....!8..."....#....$....%*..

C:\Users\user\AppData\Roaming\GamePall\cef_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	214119
Entropy (8bit):	7.955451054538398
Encrypted:	false
SSDEEP:	6144:m5S+8U5mtp0ra7rFrJzw95T9OHCZg0Gb0OveGe04mExhLY:mWU5OGUFoqoORehrQ
MD5:	391F512173ECEC14EB5CE31299858DE1
SHA1:	3A5A41A190C1FB682F9D9C84F500FF50308617FC
SHA-256:	E0F5C754C969CCA0AC4594A6F3F2C23D080A09EEA992AF29E19F4291FD1E0B06
SHA-512:	44D7B9BCB3544C3F5550150EF3522BF6A0B36900695E6A13E44F5616E16A058548189D4FEA4A22248B1CB2B273B0EAA7D559EB2D8F013BED520E4097BD45D800
Malicious:	false
Preview:	........................#.b...&.....:.g....7.....7.....7.....7\|(...7.-...7t5...7.6...7.9...7s:...7hB...7.E...7.G...7.K...7qN...7.Q...7yR...7.S...7.W...7.\...7.b...7.i...7.k...76m...7Vq...7.r...7.v...7.y...7.{...7.~...7Z....75....7;....7W....7.....7c....7u....7b....7.....7.....7.....7Q....7*....7\....8."...8,)..<FqG..=F7I..>F.L..?F$O..@F.P..AFaQ..BFnT..CF.W..DF.Y..EFJ\..FF.^..MF(b..NF.c..QF.e..RF.f..YFZg..ZF.p..[F.x..\F.{..]F.{...L.\|...L.....L....Ni....N.....NJ....N2....N+....N^....No....N9....NK....N....N1....N$....N....Nh....N.....N.....U.....U.....U.....U.....U.....U[....U.&...Uh(...U?/...U.4...U.:...U.@...U.B...U,G...U.K...U)N...U.R...UF\...U.`...U.b...U.j...U]s...UEt...U.u...U.w...U.z...Uh{...U.}...U#....U.....U^....U.....U\|....U.....U.....U.....U.....U.....U.....U.....U.....U.....U]....U?....U.....U9....U....U.....Um....U<....U!....U.....U.....U....Uq....U3....U!....U.....U....U.....Uu....UJ....U.....U.....U.....U.....U`....U'....U.....U.....Ul....U%....U7....U.....U.....UW.

C:\Users\user\AppData\Roaming\GamePall\cef_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	290001
Entropy (8bit):	7.9670215100557735
Encrypted:	false
SSDEEP:	6144:tS+8U5mtp0ra7rFriDQYaF+9bQHgs4jTlmOHCZVWGMRe8InVXYopym74:CU5OGUFrfs4gs4jTQ6ebVIo374
MD5:	BF59A047984EAFC79E40B0011ED4116D
SHA1:	DF747125F31F3FF7E3DFE5849F701C3483B32C5E
SHA-256:	CD9BE67AA0527F16E309189FA2369E1A2596D0601A7D55C405F8A619F4D095E9
SHA-512:	85A545758E8C89EF47BF11B553C57D23ED7DA6AE89A8BCCB262F509AABE61A1121C3F87EC9200791F2670225BAEECC3C92AED6AFDA86C08CA0FD611DA2E595D2
Malicious:	false
Preview:	........................#.....&.....:......7.....7.....7.....7.+...7.1...7.8...7.9...7)<...7.=...7xE...7.H...7.J...7'N...7.Q...7.T...7.U...7.W...7.Z...7._...7.e...7.l...7.n...7Fp...7ft...7.v...7)y...7.\|...7.~...7.....7j....7E....7K....7g....7.....7s....7.....7r....7.....7.....7.....7a....7:....7l"...8.%...8<,..<F.J..=F.N..>FtV..?F9\..@Fw_..AFr`..BF0g..CFll..DF\|o..EF.v..FF){..MF....NF...QFf...RF....YF`...ZF...[F....\F....]F....L....L.....L.....N.....N.....N.....N.....N.....N.....N.#...N.&...N.'...N.)...N....N.+...Nv,...N.-...N;r...N.\|...Um....U.....UM....UV....U.....U....UC....U.....U....UM....U.....U.....Um....U.....U.....U.....U.....UQ....U.....U7....U.....U.....Uk....U.....U.....U.....U.....U.....U.....U.....U.....U.....U{....U.....U.....U.....U~&...U.)...U.Q...U.Q...U.V...U.[...U.\...U._...U.`...U?a...U.a...Uic...U.d...U\f...U.g...U.i...U1l...U.p...U.u...U.}...U.....U.....U^....U.....U.....Ux....U....U.....Uy....U6....U.....U....UR....Uq....U.....U.....U_....U.....U.....U..

C:\Users\user\AppData\Roaming\GamePall\cef_extensions.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1305142
Entropy (8bit):	7.99463351416358
Encrypted:	true
SSDEEP:	24576:8AkckSbnVLjWG13xdT0b+SLzRYt2k+lbG9EjJNH/osm22O+EcRfPLP:88zVXWG1hdAKSxY4k5EFNHgvPPLP
MD5:	20DDA02AF522924E45223D7262D0E1ED
SHA1:	378E88033A7083AAC24E6CD2144F7BC706F00837
SHA-256:	8448C2BA10A3D7DC8CA3FB24F580BF99D91F746107B1A06E74932749CC1CAB01
SHA-512:	E71320B2AA0CB52938206EC00187D78274646C4C7D3579B33A0163262C063B7813FE7ACD0D2E5807082ADE772069AA577FED7F594964790C2F7C061CE38467B6
Malicious:	false
Preview:	........i...f+....i+....l+....m+{...n+q...o+7(..p+.1..q+X3..r+~5..s+aI..t+.]..u+.f..v+Ui..w+'k..x+.l..y+.q..z+.s..{+O{..\|+...}+=...~+.....+....+-....+.....+.....+.....+.....+.....+.....+.....+.....+.....+%....+.....+&(...+.Q...+.Y...+Xe...+Bj...+cv...+.}...+....+H....+....+Q....+l....+I....+.....+ ....+T....+!....+m....+.....+.....+U....+.....+.....+.....+l....+~....+.....+=....+w....+.....+-"...+.(...+.0...+.2...+.4...+.G...+uS...+.....+9....+y....+.....+.....+N....+....+0....+.....+.....+.....+_....+.....+.....+.....+.....+.....+.....+.....+.....+S....7`....7R...(7/...)7.....L.m...LO....L.....Mk....M.....M.....M>....M.....M.....Mq....M.....M.....M\....M.....M.....M.....M.....M.....M.....M.....M.....M.....MO....M.....M.....M.!...M.(...Mf5...M.;...M&E...M.P...M.T...M<]...M.`...M.j.. M.k..!M2v.."M.w..#M.z..$M....%M...&M...'M#...(M@...)M....*M(...+MY...,Mu...-M$....M..../MV...0M;...1Mx...2M....3M....4Mi...5M....6M....7MP...8M"...DM....EM.....Mi....M.~...M.~...Mb....M_....M....M.

C:\Users\user\AppData\Roaming\GamePall\cef_sandbox.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	87182312
Entropy (8bit):	5.477474753748716
Encrypted:	false
SSDEEP:	196608:v0b1XAJ5V8XYcrfCNJsTtU0ZhdYHbgMnn6d25JOcLRiLnIrBcnK0EAeg1GF:78JaNJyZhdE6383rWEAR8
MD5:	FFD456A85E341D430AFA0C07C1068538
SHA1:	59394310B45F7B2B2882D55ADD9310C692C7144F
SHA-256:	F188B96639B5157E64222BB8483D76CD21A99141FC2614EF275E20639C739264
SHA-512:	EB4CB388383CB37B1D89531D560169985A80DF9335F005AFBBFDE56F9031821A933D735138B1086CF81D006E480FF14711A8A95B3DB8A0FD4037AA6EFD926B50
Malicious:	false
Preview:	!<arch>./ 1696073295 0 1940897 `...Y..:.t.:.>.:...:...:...:...:...;/..;/..;/..;/..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..;k..@...@...@...@...@...A...A...A...A...A...A...A...A...A...A...A...A...Co..Co..Co..Co..Co..Co..Co..Co..Co..Co..E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...E...G..G..G..G..G..G..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=..H=.

C:\Users\user\AppData\Roaming\GamePall\chrome_100_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	656926
Entropy (8bit):	7.964275415195004
Encrypted:	false
SSDEEP:	12288:fI3Hdjzgsz5B0GDJQrnKs8SNP+QSsSilRBdNze0Vc+gIXgt4z8oO0TehEr7:g397zEEmPLSOdNze05gUgmz8oO0TOW
MD5:	3404DD2B0E63D9418F755430336C7164
SHA1:	0D7D8540FDC056BB741D9BAF2DC7A931C517C471
SHA-256:	0D3FCA7584613EB1A38BAF971A7DD94F70803FC130135885EC675E83D16A4889
SHA-512:	685D63633DB8A57D84225C2B92C92016E1CE98BA2BF8D3DDACE2EB120B3BCF84C718787D59DB6EC61F34CF91CB651500B4E4FF0AC37AEB89561CDCC586946C80
Malicious:	false
Preview:	..........+...........................&..........;.....;N....;.....;"....;.....;.....;N....;.....;.....;s....;....;.....;.....;....;4....;.....;.....;0....;.....;c....;7....;.....;.....;.....;.....;?....;:....;G....;.....;n....;x....;.....;.....;.....;#....;.....;.....;B....;.....;.....;.....;N....;.....;.....;+....;.....;% ...;c!...;.!...;."...;E+...;t4...;qH...;I\...;.]...;.^...;>a...;.c...;.g...;.o...;pw...;.\|...;h....;.....;.....;....;.....;....;o....;.....;.....;.....;....;y....;.....;.....;3....;9....;h....;.....;.....;.....;F....;."...;.+...;.0...;.8...;?:...;'X...;.q...;.....;....;.....;t....;.....;.....;.....;./...;.X...; m...;....;.....;.....;.....;+....;.....<O....<.....<.....<=....<2$...<y+...<.3...<.<...<aA...<.L...<.W...<.[...<._...<.d...<Dv...<t....<!....<....<....<.....<.....<.....<V....<.....<.#...<.8...<\|F...<hP...<bW.. <i^..!<ts.."<(...#<{...)<`...<c...+<d...,<"...;<x...<<k...=<....><-...?<....@<....A<'...B<g...C<....D<U...E<....F<....G<....J<....K<....L<v%

C:\Users\user\AppData\Roaming\GamePall\chrome_200_percent.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1017158
Entropy (8bit):	7.951759131641406
Encrypted:	false
SSDEEP:	24576:m3Tl5zLmmibkFR8+mZRUumegvQtc05UwvdAbatzk6edhOLoe9:m3Tl53mNbkFRJmHURhQW05JvdlzkjrOH
MD5:	3FBF52922588A52245DC927BCC36DBB3
SHA1:	EF3C463C707A919876BF17C3E1CD05C0D2C28CA9
SHA-256:	C6FE346106C5E4950161ED72EB0A81FE3537A94E4A59461AAF54E750D1904F76
SHA-512:	682EB6D61B564C878FDB971A6439FCDA9F1E108BD021A32E8990B68B1338986A4866A0965DEA62567501C8826D43CEBF2B7C8BE8323DE415A75E8D89A9D592E7
Malicious:	false
Preview:	..........+.....................b................;.....;&....;.....;.....;.....;.....;b....;....;8....;.....;.....;o....;....;<....;.....;.....;l....;....;/....;.....;[....;Q....;.....;j....;.....;.....;L'...;.E...;lZ...;.o...;.q...;.r...;.s...;.{...;.{...;.~...;"....;.....;U....;.....;.....;.....;....;d....;.....;.....;i....;.....;f....;....;0....;.....;.....;.(...;+...;.+...;A....;54...;.9...;,O...;.`...;.n...;.~...;.....;.....;M....;....;;....;q....;Z....;.....;.....;.-...;\=...;.P...;.d...;@\|...;.....;Y....;#....;_....;/....;.....;.#...;.;...;.J...;gc...;cf...;W....;....;W....;.....;.....;.....;7....;.-...;.I...;Y\...;W....;....;.....;S....;.....;t....;.....;.....<W....<.&...<9<...<iG...<jQ...<.X...</a...<gi...<.n...<Pz...<.....<f....<.....<I....<.....<.....<.....<4C...<4d...<....<....<.....<.....<.....<D8...<.e...<_....<....<.... <I...!<...."<.E..#<.E..)<.G..<%j..+<N...,<....;<....<<v...=<....><....?<....@<y...A<....B<....C<....D<....E<"F..F<.J..G<.O..J<.X..K<.e..L<.r

C:\Users\user\AppData\Roaming\GamePall\chrome_elf.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1174528
Entropy (8bit):	6.475826085865088
Encrypted:	false
SSDEEP:	24576:I3lp87thPKuxyj+tWF8lCwOvzr90p5OM3:FauY+tWF8b5OM3
MD5:	207AC4BE98A6A5A72BE027E0A9904462
SHA1:	D58D2C70EA0656D81C627D424F8F4EFCCEF57C86
SHA-256:	2BA904DA93ACC4766639E7018AC93CC32AA685DB475F3A59B464C6BC8B981457
SHA-512:	BFB6C58774829DB3D5FADC92CB51477FF4EAC8FB934DB6583A312BB1157468F6DD3A4A3AFAF25A687B74890DC8A69857A12D0B38B18D83E82836E92E02046FF3
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....v...p......P.....................................................@A........................vT......AX..<.......x...........................<<.......................;......(...............<[.......O.......................text....u.......v.................. ..`.rdata..\............z..............@..@.data...H...........................@....00cfg...............F..............@..@.crthunk.............H..............@..@.tls.................J..............@...CPADinfo(............L..............@...malloc_h.............N.............. ..`.rsrc...x............P..............@..@.reloc...............X..............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_43.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2106216
Entropy (8bit):	6.4563314852745375
Encrypted:	false
SSDEEP:	49152:DpX9JVeE9HP6Zpy9KyhMI50Du8LljslNsHSHFUq9OiapbbO5Akb:H3P9HP6Zpy9KyhMI50Du8LljslNsyHiS
MD5:	1C9B45E87528B8BB8CFA884EA0099A85
SHA1:	98BE17E1D324790A5B206E1EA1CC4E64FBE21240
SHA-256:	2F23182EC6F4889397AC4BF03D62536136C5BDBA825C7D2C4EF08C827F3A8A1C
SHA-512:	B76D780810E8617B80331B4AD56E9C753652AF2E55B66795F7A7D67D6AFCEC5EF00D120D9B2C64126309076D8169239A721AE8B34784B639B3A3E2BF50D6EE34
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......\.h...;...;...;..];...;...;...;.._;...;..h;0..;..i;'..;..X;...;..l;D..;?M.;...;..Y;...;..^;...;Rich...;........PE..L...92.K...........!.........d...............................................p .....O. ...@.........................@.......@...P..................... .h............................................i..@............................................text...S........................... ..`.data....~.......B..................@....rsrc................(..............@..@.reloc..D............,..............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\d3dcompiler_47.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4127200
Entropy (8bit):	6.577665867424953
Encrypted:	false
SSDEEP:	49152:OS7PQ+besnXqRtHKzhwSsz6Ku1FVVOsLQuouM0MeAD36FqxLfeIgSNwLTzHiU2Ir:O4PhqqFVUsLQl6FqVCLTzHxJIMd
MD5:	3B4647BCB9FEB591C2C05D1A606ED988
SHA1:	B42C59F96FB069FD49009DFD94550A7764E6C97C
SHA-256:	35773C397036B368C1E75D4E0D62C36D98139EBE74E42C1FF7BE71C6B5A19FD7
SHA-512:	00CD443B36F53985212AC43B44F56C18BF70E25119BBF9C59D05E2358FF45254B957F1EC63FC70FB57B1726FD8F76CCFAD8103C67454B817A4F183F9122E3F50
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........!7P.OdP.OdP.Od..NeR.OdP.Nd..OdY..dU.Od.Jem.Od.KeQ.Od...dQ.Od..Leo.Od..Je..Od..OeQ.Od..Ge..Od..Kec.Od...dQ.Od..MeQ.OdRichP.Od................PE..L..................!.....2<..*...............P<...............................?.......?...@A.........................<<.u.....=.P.....=.@.............>..%....=.........T....................u..........@.............=..............................text...e0<......2<................. ..`.data...`"...P<......6<.............@....idata........=.......<.............@..@.rsrc...@.....=.......<.............@..@.reloc........=.......<.............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\devtools_resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	2205743
Entropy (8bit):	7.923318114432295
Encrypted:	false
SSDEEP:	49152:qHlbrhXKMVp/DVegxF2Xe1WFG4F3KMWB7rwz3yY+23:qFnhXKwggr0cWEgaMi7rwrw23
MD5:	54D4E14BFF05C268248CAB2EEDFB61DD
SHA1:	33AF472176F6E5FB821FFE23C9FBCCC7C735B5B9
SHA-256:	2CAC401BFFA9FD4DFFE11E05EE18FC5CA7A30EC5BF7EF6A3EA8518A4F3344790
SHA-512:	5A6893E7EA30EAA0EFF44687B0D15366A8224E476E4AE8FE0D5C7EF2B3C62E6B0184F73EAD36C4E4E08D6936524CEF8429660B3EC29453EED128E3C5368CE78C
Malicious:	false
Preview:	........K....[.....[.....[.....[Y....[.....[.....[.....[.....[P ...[.!...[."...[.#...[.$...[.%...[.%...[T&...[0'...[/(...[.(...[.(...[....[.+...[{,...[1-...[.-...[3....[b/...[.0...[.1...[.2...[.3...[,4...[.4...[P5...[.5...[#6...[!8...[.8...[.9...[.9...[::...[q;...[Y=...[.=...[ ?...[.@...[0A...[iB...[?D...[.E...[pE...[UF...[.G...[.H...[)I...[.I...[.M...[.M...[DN...[.N...[FO...[.O...[.Q...[oV...[uW...[cX...[[\...[.]...[Ea...[bc...[.c...[ d...[.d...[oe...[.f...[.h...[.i...[Xj...[.k...[.l...[An...[.o...[.p...[.....[....[.....[.....[.....[.....[[!...[.%...[d....[x1...[.4...[.4...[.9...[.C...[.Q...[KS...[#V...[=]...\.b...\.z...\Q}...\.....\.....\....\`....\.^...\7b...\uy...\g....\.....\.....\=....\....\....\....\'....\.....\....\.... \....!\...."\....$\....%\....&\....)\....\....+\.Q..,\.S..-\.U...\..../\w...0\....1\8...2\....3\....4\....5\....6\....7\.T..8\.z..9\6...:\....;\c...<\)&..=\...>\>5..?\JU..@\.r..A\....B\9...C\....D\S...E\....F\\y..G\Y...H\%...I\....J\M...K\.a..L\.j..M\.n

C:\Users\user\AppData\Roaming\GamePall\icudtl.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	10717392
Entropy (8bit):	6.282534560973548
Encrypted:	false
SSDEEP:	196608:hpgPBhORiuQwCliXUxbblHa93Whli6Z86WOH:n8wkDliXUxbblHa93Whli6Z8I
MD5:	E0F1AD85C0933ECCE2E003A2C59AE726
SHA1:	A8539FC5A233558EDFA264A34F7AF6187C3F0D4F
SHA-256:	F5170AA2B388D23BEBF98784DD488A9BCB741470384A6A9A8D7A2638D768DEFB
SHA-512:	714ED5AE44DFA4812081B8DE42401197C235A4FA05206597F4C7B4170DD37E8360CC75D176399B735C9AEC200F5B7D5C81C07B9AB58CBCA8DC08861C6814FB28
Malicious:	false
Preview:	...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW..K..P...L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

C:\Users\user\AppData\Roaming\GamePall\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	377856
Entropy (8bit):	6.602916265542373
Encrypted:	false
SSDEEP:	6144:oJ4tr7XVkL/2qBCOeRMIKVpqtXmzKwdo23zqyU73omBT095OiZH:2NfBCOeR/KVpqtio23zqyOsOo
MD5:	8BC03B20348D4FEBE6AEDAA32AFBBF47
SHA1:	B1843C83808D9C8FBA32181CD3A033C66648C685
SHA-256:	CBEE7AC19C7DCCCA15581BD5C6AD037A35820DDFE7C64E50792292F3F2E391E6
SHA-512:	3F9EEC2C75D2A2684C5B278A47FB0E78B57F4F11591FAC4F61DE929F716BBAA8F7DF05E10390408AD6628538611541548C26869822372E9C38D2C9C43881651E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....`...`............................................... ............@A........................8,..h....:..(.......x........................>..........................D........p..............(<..`............................text....^.......`.................. ..`.rdata..L....p.......d..............@..@.data....4...p.......`..............@....00cfg...............\|..............@..@.tls.................~..............@....rsrc...x...........................@..@.reloc...>.......>..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	6635008
Entropy (8bit):	6.832077162910607
Encrypted:	false
SSDEEP:	196608:HrmMLEFtac5bM68f8Oi3WjH13GzSW3430aTwQCe:a+ktad68f8Oi3oH13GztokaTwbe
MD5:	63988D35D7AB96823B5403BE3C110F7F
SHA1:	8CC4D3F4D2F1A2285535706961A26D02595AF55C
SHA-256:	E03606B05EEAED4D567EA0412350721C0D566B3096B18C23BD0B3FCDE239E45A
SHA-512:	D5F5ACA00BE9E875FCD61531CC7F04F520FB12999E36E4FE06BEAAE491B47D2E9FE182015DB1CBFBB8E78CF679F2EB49E20ECDF1B16D1D42058D6F2D91BC3359
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!......L...........@.......................................e...........@A.........................].......^.d.....a.......................a.."...U]......................T].....X.L.............H.^.@.....].@....................text.....L.......L................. ..`.rdata...I....L..J....L.............@..@.data...X....._.......^.............@....00cfg........a.......a.............@..@.tls..........a.......a.............@....rsrc.........a.......a.............@..@.reloc..."....a..$....a.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	176517632
Entropy (8bit):	7.025874989859836
Encrypted:	false
SSDEEP:	1572864:VSuR7JVHywK/Sf1rWID4Pu2v8zgguHWJEqM90Hw4DclJkBLrWXmfnehuWNIPKtlL:MCYRNIPKYTFBhfmOS9KBaVz
MD5:	F5259CC7721CA2BCC8AC97B76B1D3C7A
SHA1:	C2FC0C8396D8CD6764809A2A592972E2EBCA64BA
SHA-256:	3FE6A262EF01CB8FD4DC2D4373DE0F1F0A89EE51953452ED4557CB55F1DA9AB4
SHA-512:	2D01B1F2B24717EFF37965BBC32D167434A65F3DFFF74342D2E2FA8FBB0E97C3F61FDF673A13AD63031D630D9CE46A6F9F0C4F89EBD30C31F3EA55817B9D1331
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.........N.......k....................................................@A........................#..........h....0J.(C....................L.\|.\.P................................?..............`.......LY..@....................text............................... ..`.rdata...%2..0...&2.................@..@.data...dr+..`.......>..............@....00cfg........I.......&.............@..@.rodata.@.....I.......&............. ..`.tls..........J.......&.............@...CPADinfo(.....J.......&.............@...malloc_h..... J.......&............. ..`.rsrc...(C...0J..D....&.............@..@.reloc..\|.\...L..0\..B).............@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\libcef.lib

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	current ar archive
Category:	dropped
Size (bytes):	40258
Entropy (8bit):	4.547436244061504
Encrypted:	false
SSDEEP:	384:EDDktao110LafOv9YObvWKH0Nd4wM5gqJ/xqFeRinM68BifLUsOgC7EYo:gDkP10LafOR5gmqFSinF8BsYo
MD5:	310744A0E10BD9C2C6F50C525E4447F9
SHA1:	9BA62D6AC2CB8EFF46C9B21051677FC1DC66D718
SHA-256:	E9C55CFF925E26812139CDCAD6612E0D69E317CB7BB1435C9EB5113D338ACCE7
SHA-512:	6DF9E3F9AFD7CDEC750B006987E5AEC445E163DD0B9CF1A9EA53F78DB2EE5FD654E3B4F82BCA3E1F4BEDB189F5DFA51189C820905676AD048DBE2E0AD405BF5B
Malicious:	false
Preview:	!<arch>./ 0 0 0 0 14390 `.......8z..:&..:...;...;...<&..<&..<...<...=...=...=...=...>...>...>...>...>...>...?f..?f..?...?...@B..@B..@...@...A$..A$..A...A...B"..B"..B...B...C...C...C...C...D...D...D...D...D...D...E...E...E...E...Fn..Fn..F...F...GZ..GZ..G...G...HJ..HJ..H...H...I$..I$..I...I...J...J...J...J...K ..K ..K...K...L...L...L...L...M...M...M...M...N...N...N\|..N\|..N...N...Od..Od..O...O...P`..P`..P...P...QP..QP..Q...Q...RT..RT..R...R...S@..S@..S...S...T...T...T...T...U...U...Un..Un..U...U...VP..VP..V...V...W,..W,..W...W...X...X...X...X...X...X...Y\..Y\..Y...Y...ZB..ZB..Z...Z...[,..[,..[...[...\...\...\...\...\...\...]b..]b..]...]...^N..^N..^...^..._6.._6.._..._...`$..`$..`...`...a...a...a...a...b...b...b...b...c...c...c...c...c...c...dj..dj..d...d...e^..e^..e...e...fV..fV..f...f...g8..g8..g...g...h..h..h...h...i"..i"..i...i...j...j...j...j...k...k...k...k...l...l...l...l...l...l...mh..mh..m...m...nN..nN..n...n...o2..o2..o...o...p...p...p.

C:\Users\user\AppData\Roaming\GamePall\locales\af.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	470498
Entropy (8bit):	5.409080468053459
Encrypted:	false
SSDEEP:	12288:5Qs+yrck0o+wZiSMKVQ2uM2Z12JynA7PIZ+sdgSTCSQ2fs37KQOb5t/tn6AmHiKL:5n+yrck0ofMSMaTuM2Z12JynA7PIZ+se
MD5:	64F46DC20A140F2FA3D4677E7CD85DD1
SHA1:	5A4102E3E34C1360F833507A48E61DFD31707377
SHA-256:	BA5CA0A98E873799A20FD0DF39FDB55AAB140E3CC6021E0B597C04CCE534246D
SHA-512:	F7D789427316595764C99B00AF0EF1861204F74B33F9FAB0450F670CB56290C92BFB06EF7D1D3B3BF0B6ACDC6295E77F842C49579BD9973E3D5805920CDB2527
Malicious:	false
Preview:	........$$..e.>...h.F...i.N...j.Z...k.i...l.t...n.\|...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................&...........5.....<.....C.....D.....E.....J.....W.....f.....w.................x.................A.......................S.........................................%.....{.......................V.......................J.......................Y.......................e.......................a.......................l...................................O.....f.......................).....z.......................6.....u.......................Q.......................E.....w.................!.....I.....R.............................l.......................f.................+.............................f.......................D.......................<......................._.......................2.....~.................2.....v.................X...........$.....8.................P.....r...........6.....j.....}.................1.....?...................

C:\Users\user\AppData\Roaming\GamePall\locales\am.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	763010
Entropy (8bit):	4.909167677028143
Encrypted:	false
SSDEEP:	12288:1Qw5lCtXTZou7fVIx2TERZ3ej56NNzLY5+9FQVrBO0PCx30jH8+F:1QACtXTZlVIxJRZuj56NNzLY5+9FQVrr
MD5:	3B0D0F3EC195A0796A6E2FAB0C282BFB
SHA1:	6FCFCD102DE06A0095584A0186BD307AA49E49BD
SHA-256:	F9F620F599BC00E84A9826948C3DA985AC9ADB7A6FFB4C6E4FBEFEAF6A94CF85
SHA-512:	CA9217F22C52EF44E4F25142D1AD5DD9D16E4CCC3B6641609E1F4C2650944E35BA4CAB59CA5CD9EA6FEFD6BE1D3E8227FC0E3E6BDEDD14B059CA2C72D096D836
Malicious:	false
Preview:	........>${.e.r...h.z...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...\|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....\|...............................................F.....f.....'...........V...........Y.............................5.................F.................!.................d.....z...............................................C...........\.................z...........h...........3...........$.....C.................e.................i.................,.......................X.............................h.......................!.....\|...........$.............................1.....}.........................................Z.................\|...........'.....N...........F.................;.............................G.................v............ ....4 ..... ....X!.....!.....!....x"....."....Z#.....#....M$.....%.....%.....%.....&....+'.....'.....'.....(....D).....).....)....2....................+....",.....,

C:\Users\user\AppData\Roaming\GamePall\locales\ar.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	838413
Entropy (8bit):	4.920788245468804
Encrypted:	false
SSDEEP:	12288:izbA8VvnwBkh5/N/REWH4gzWvwU5Bwikcb56NiN+o2qeTk:UjERl51+K
MD5:	C70B71B05A8CA5B8243C951B96D67453
SHA1:	DEED73A89F0B3EDAB8FF74117CC6B31CB4F426E8
SHA-256:	5E0D4BC0893A334B6FFF610F66E4A00920530D73EC3257EB9D37A96EBD555C13
SHA-512:	E000FD3592AC5FE700C4CE117868915C066AC66D5954A1DE4F5AFF0F4559C93F7DFF47623F1837CE827FFF94E91ECD89A974037BE9CCCC8E672E229A1E8115E9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.!...n.)...o.....p.;...q.A...r.M...s.^...t.g...v.\|...w.....y.....z.....\|.....}.........................................................................-.....d.................n...........A...........u.......................O.......................D.................Y...........3.....J...........=.....g.....~.....&.................O.......................B.....!...........u...........5...........).....W.................3.....N.....U.....B...........!.........../.....Y........... .......................g...........).....I.................#.....A...........@.................6........... .....D...........I.................%.............................=.................?...................................G...................................).....t............ ..... ..... ..... ....o!.....!....6"....\"....."....S#.....#.....#.....$.....%....V&.....&....5'.....'.....(....J(.....(....X).....).....).........z..............t+.....,....{,.....,....--

C:\Users\user\AppData\Roaming\GamePall\locales\bg.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	869469
Entropy (8bit):	4.677916300869337
Encrypted:	false
SSDEEP:	24576:BSLV0eChsqfaElYMdAs1axUjHh373ZI93aAK5kVDgQwRunpKd2ao5JJqueRSQQFc:BmSeChsqfaElYtUjHh373Zi3a1kVDgQS
MD5:	12A9400F521EC1D3975257B2061F5790
SHA1:	100EA691E0C53B240C72EAEC15C84A686E808067
SHA-256:	B7FD85B33B69D7B50F6C3FDC4D48070E8D853C255F2711EEDAA40D1BA835F993
SHA-512:	31EAA1CBF13BC711750B257C6B75813ACC8E4E04E9262815E399A88B96BA7B5BE64CE2450638B5521D5CB36750C64848944168C3234D2CE15A7E3E844A1E1667
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....L.....n...................................I...........Q...........q.......................T.................E.......................7.....~...........<.................:.....&...........F.................X...........$.................Z...........X...........m.................C.........................................{...........:.....a...................................8................._...........O.....}...................................$.....h.........................................2.............................3 ....e .....!.....!.....!.....".....".....#....W#.....#....{$....-%.....%.....%.....&....k'.....'....T(.....).....).....).....).....*....`+.....+.....+.....,....p-.....-....&....../...../.....0.....0.....1....o2.....2....73.....4.....4.....4....-5.....5....X6.....6.....6.....7.....8.....9

C:\Users\user\AppData\Roaming\GamePall\locales\bn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1118348
Entropy (8bit):	4.2989199535081895
Encrypted:	false
SSDEEP:	3072:V2rCcsPp3UbQ7792UA7pHFEadKZ0ZfQ0/QeIyTt7ukkBBbpUDDM51biXlau:V2rCcsPB2eJRApG2Iyp7ubBbf5ElP
MD5:	89A24AF99D5592AB8964B701F13E1706
SHA1:	2177122C6DCC20E1D07EF43AF5A112E8E5C6B95B
SHA-256:	5BDBBCD0D07B6AE3A7F96F07871EE541F4111D90D73FD6E112C5ABE040025C96
SHA-512:	60F6CD73BF35886EF54FA6200F86BCED78DD11F612C8071F63EB31108F109C166D45609879E8E5107024A025BAFCFCF1C80051B6D8FF650D92DCF17136384EB1
Malicious:	false
Preview:	........($..e.F...h.N...i._...j.k...k.z...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......#.....(.....0.....8.....=.....E.....L.....S.....Z.....[.....\.....a.............................=.....G...........?.....4...........................................................B.....}.....>...........k...........X...........].............................q.....W...................................W...........S...........e.............................I.....m.....e..........._.....(.................9...........q.................p...........5.....X.....8...........Q...........M...........I.....u.....-...........!.....G............ ..... ..... .....!....P".....".....".....#.....%.....%.....&.....'.....'....^(.....(....;).....).........6.....+.....+....1,....],....E-................-/...../....x0.....0.....0.....1.....2.....2.....3...."4.....4....x5.....5.....6....78....*9....]9.....:.....;....;<.....<.....=....?>.....>.....>.....?....y@.....@.... A....&B.....B

C:\Users\user\AppData\Roaming\GamePall\locales\ca.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537139
Entropy (8bit):	5.397688491907634
Encrypted:	false
SSDEEP:	12288:RZZsIQ87TcELygV3z5PAF4N3Mw2juwHzejm0t3lvq8E9oCRaIs3cmlLEY2CJLLyG:vqH4V8R2A9lMN4MZRg5u5dq8
MD5:	37B54705BD9620E69E7E9305CDFAC7AB
SHA1:	D9059289D5A4CAB287F1F877470605ED6BBDA2C8
SHA-256:	98B2B599C57675EFC1456B38B23CE5657B142E0547F89AB1530870652C8EB4BA
SHA-512:	42D667FEB59BB5FA619AC43DC94629ED1157CBE602643FB21378A2C524EF1F6E32098E7C62D3F3DE35D9FEDEF6607FE034908601AE3C49156CD0916E2514D2F9
Malicious:	false
Preview:	........%$..e.@...h.H...i.P...j.\...k.k...l.v...n.~...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}................... .....(.....0.....7.....>.....E.....F.....G.....I.....c.....\|................._...........[.....z...........O.................D...........(.....G.................B....._.................A.....T.................8.....I...........3.....u...........(.......................p.................,.......................1.................T.....o.............................v.......................b.......................@.......................@.......................O.......................<.............................`.......................P.........................................M.......................H......................._.........................................n.......................Q.......................[.............................1.................>.........................................6.............................\|...........".....>.

C:\Users\user\AppData\Roaming\GamePall\locales\cs.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	545011
Entropy (8bit):	5.844949195905198
Encrypted:	false
SSDEEP:	12288:yW0j+bk/1ryvoP5QW5FK8VtDNOQ3SCmPA:blI1uvoR95FK8VnObCmPA
MD5:	65A2C2A73232AB1073E44E0FB6310A5F
SHA1:	F3158AA527538819C93F57E2C778198A94416C98
SHA-256:	E9A1610AFFCA9F69CD651C8D2EDD71B5A0F82CB3910A8A9D783F68E701DB5BB0
SHA-512:	20ED527F3BBBA2CECE03D7B251B19D6DCC9D345B5425291D8139FCDD5646EC34D585891160CC4BD96C668D18FFFFDD56F4D159880CFC0D538749F429F7F65512
Malicious:	false
Preview:	.........$..e.....h.&...i.....j.:...k.I...l.T...n.\...o.a...p.n...q.t...r.....s.....t.....v.....w.....y.....z.....\|.....}.................................................#.....$.....%.....'.....7.....I.....[.....p.............................\|.................%...........(.........................................3......................./.......................2.......................z...........I.....k...........R.......................v................./.......................z...........=.....W.................&.....=....................... .....o.......................^.......................r.......................m.......................b.......................z.................0...........%.....i.......................3.....G.......................(.......................1.................R................./.....J.....^...........A.....q.................`.................,...................................V.....w...........Z.......................O.....t.................b.......

C:\Users\user\AppData\Roaming\GamePall\locales\da.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	496165
Entropy (8bit):	5.446061543230436
Encrypted:	false
SSDEEP:	6144:uH+pwMYDA3cPzVWwqV5cU3HVEs7avwlTwUJwa7obRR2vJub5iNraBDUd4vTGqfwB:ueCFDccAzHza0QR5KraTpO
MD5:	A44EC6AAA456A6129FD820CA75E968BE
SHA1:	9B5B17AFD57ADB8513D2DA9A72223E8A003975A5
SHA-256:	F01F9C3E4E6204425F2969F77BF6241D1111CE86CDD169BDF27E5D2D4B86C91A
SHA-512:	947DB81EA64009CC301CD2DCE06384202E56446F6D75E62390334B91D09B564CB0681E06BF7A945033BD6C28C2171346A91EE16693262C4E373A31B51AD42A9E
Malicious:	false
Preview:	........,$..e.N...h.V...i.g...j.s...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}."........../.....7.....?.....G.....N.....U.....\.....].....^.....`.....n.....~.........................................Q..................................q.................].......................P.....w.................8.....b.....p...........9.....h.................n.................7.......................^............................. .....p...................................q.......................X.......................1...............................................".............................{.......................Z.......................C.....p.....~...........y.................4.............................l.......................I.....f.....v...........^.................................................................F.......................B...................................O.....~...........J.....z.................$.....@.....M.................F.

C:\Users\user\AppData\Roaming\GamePall\locales\de.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	534726
Entropy (8bit):	5.49306456316532
Encrypted:	false
SSDEEP:	6144:DHU4lkHqzOxl5bARnY43K7Up7aD3gXra/nOdaIyRL3AnO1a265iM5CRQmTzMRQIz:L5l+qCx4e43K7UpugbaPotwS5Cmv4CYe
MD5:	49CA708EBB7A4913C36F7461F094886B
SHA1:	13A6B5E8DC8B4DF7A976A0859684DC0AA70F1B12
SHA-256:	8AE7D6B77C51A4FE67459860ABDAE463F10766FAF2BA54F2BB85FD9E859D2324
SHA-512:	6908F96BFDF7499B33E76697AA96103E89ACB3E25EDBD6156B610564AF14D4ED474C547A760503490B6327A801478E223039836BEEF2B938AF76827A15C0F751
Malicious:	false
Preview:	.........#..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...\|.@...}.R.....Z....._.....g.....o.....w.....~.................................................................X.................E...................................^.....x...........n................./.......................Z...................................U.....w.............................h...........&.....7...........9.....w........... ................. ..........._.................D.......................U.......................h...................................a.....x...........f.........................................F.......................u...........).....;...........j.................A.......................;.......................9.......................t...........,.....`...........-.....K.....b...........G.....s.................}.................T...........,.....6...........S................./.......................K.......................t...........*.

C:\Users\user\AppData\Roaming\GamePall\locales\el.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	950999
Entropy (8bit):	4.76377388695373
Encrypted:	false
SSDEEP:	24576:aYcXPdGgx11hxi9c9N+JXDsSYSmqHMuD2fpoLwj3BAVH8+Vdc7tNDQo3sEtf2otu:aYcXPdGgx11hxi9c9N+JXDsSYSmqHND9
MD5:	9CBC320E39CFF7C29F61BD367C0BF3BB
SHA1:	2AF07EFFF54A0CF916CF1C0A657F7B7ADF2029FF
SHA-256:	E8837DEFA908EB2FD8B4EB6344412C93403A4258F75EC63A69547EB06A8E53B3
SHA-512:	F7D84185F4520E7AAF3F3CACF38B53E9638BB7D5023FA244020EC8D141FFD5C10B198FF089824D69671FE8350F931B0BB19B6CAF14AF47B0838953367A146DD0
Malicious:	false
Preview:	........)$..e.H...h.P...i.X...j.b...k.q...l.\|...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...................&...........6.....=.....D.....K.....L.....M.....O.....v.......................5...................................V.................h...........F.....i...........~...........{...........a...........'.................&.......................M.....U.....O............................./.....J.....1..........._...........{.....6................. .............................g.......................<.................J...........8.....t.....O.....).......................U............................................................ ..... .....!.....!.....".....#.....$.....$.....$.....%....\|&.....&.....'.....'....;(....t(.....(....M).....)....;....h....U+.....,.....,.....,.....-....8.....t...........f/....(0.....0.....0.....1....S2.....2.....3....64....Q5.....6....@6....A7....(8.....8.....8.....9.....:....o;.....;....[<....%=.....=.....=.....>.....?....6@

C:\Users\user\AppData\Roaming\GamePall\locales\en-GB.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	430665
Entropy (8bit):	5.517246002357965
Encrypted:	false
SSDEEP:	6144:i+r1EvWwB7qlh7bcMP9eBT/LfaY1+/845qlSBBE0RbPB:i+2dFugMeT/7o54SjB
MD5:	0F1E2BC597771A8DB11D1D3AC59B84F3
SHA1:	C1F782C550AC733852C6BED9AD62AB79FC004049
SHA-256:	E4798E5FF84069C3BFD7D64734CCD9FF5C8A606315B44A714ACDCABDDAF3CA6E
SHA-512:	07E9B98357C880995576059AD4E91E0F145DC0F2FFF2DFDAD8649FA42EB46FA86F7F093503C41019EAD4550784E26C553D171518355FBBF995E38B1F6D7ABFF0
Malicious:	false
Preview:	.........$ .e.(...h.0...i.>...j.J...k.Y...l.d...n.l...o.q...p.~...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.....................................%.....,.....3.....4.....5.....:.....G.....V.....f.....w...........J.......................H.....y.................I.......................@.....o.......................?.....M............................._.......................B.......................8.............................[............................V.....a................l............................. .....^.............................A.....b.....n.................H.....[.......................+.....t.......................5.....y.......................:.....c.....n...........'.....d.....y.................).....?.............................G.............................].......................4.....O.....^.................6.....F.................#.....;.................V.....d...........$.....[.....x.................F.....U.............................k.............

C:\Users\user\AppData\Roaming\GamePall\locales\en-US.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	434598
Entropy (8bit):	5.509004494756697
Encrypted:	false
SSDEEP:	6144:7nI68aw+/9meyTMP9eLX9ifaY3yzq5OJSMn0F/lFRwj:7nzbIMAX9cj5GShRwj
MD5:	FEAB603B4C7520CCFA84D48B243B1EC0
SHA1:	E04138F1C2928D8EECE6037025B4DA2995F13CB4
SHA-256:	C5B8FBDBB26F390A921DCACC546715F5CC5021CD7C132FD77D8A1562758F21F4
SHA-512:	E6B3970A46D87BFD59E23743B624DA8116D0E1A9912D014557C38FD2664F513E56317AFA536DF52E7E703863FBD92136BE57EE759A2FFC2958AB028F6287E8B7
Malicious:	false
Preview:	.........$..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.,...y.2...z.A...\|.G...}.Y.....a.....f.....n.....v.....~.................................................................G.......................\.......................Q.......................T......................./.....t.......................7.....^.....k.................".....9.................!.....9.............................i.......................7.......................!.............................K.....f.....u.............................Y.............................k.......................G.....t.......................7.....B.............................J.......................$.....~.......................^.............................=.....R.............................q.......................X.............................X.......................7.....o.................X.......................k.......................a.......................!.....C.....S.................,.

C:\Users\user\AppData\Roaming\GamePall\locales\es-419.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	524728
Entropy (8bit):	5.377464936206393
Encrypted:	false
SSDEEP:	6144:PNCz1pZTuB8WGz7iOXIp5YRmB5qLFA9IMWm+Q:P0z1LsCmpXB54FTbQ
MD5:	32A59B6D9C8CA99FBD77CAA2F586509A
SHA1:	7E8356D940D4D4CC2E673460483656915AA59893
SHA-256:	AA4A5AA83DD5F8476867005844F54664DB1F5464A855EF47EC3A821DAF08E8F2
SHA-512:	860BA06228BBA31EEC7EB8BD437DDB6E93BABD0129033FB6EFF168F2FB01B54E2B93D2AB50A5D4F5D2FB7B04A5D0DD5541999D708CC2613B74AADD17B3E98735
Malicious:	false
Preview:	........5$..e.`...h.h...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....j.....\|.......................J...........>.....Y...........1.....v..........."...................................L.....g.................4.....G.................,.....=...........7.....}...........6...................................6.....I.................\.....s..........._.................Z...........2.....Y.......................:.......................".......................0.................R.....e...........).....g.....s.................P.....[.................4.....>.................L.....\...........O.................!.....v.................+.....x.................i.................:.................2.......................!.......................0.................I.....c...........x.............................B.....p...........V.......................G.....j.....}...........n.............

C:\Users\user\AppData\Roaming\GamePall\locales\es.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	523181
Entropy (8bit):	5.356449408331279
Encrypted:	false
SSDEEP:	6144:U9Fif228l1GmDS12LhMD3RgDEqpF+Eey1w4Fj05dlrIbosZ86PZHk8jHq:YnymDZqDMnp6y1wEj05frQosRK
MD5:	3D1720FE1D801D54420438A54CBE1547
SHA1:	8B1B0735AE0E473858C59C54111697609831D65A
SHA-256:	AE32D66C0329104B9624BA0811FE79149D1680D28299440EC85835DBA41C7BD2
SHA-512:	C033BBB5261EC114DCB076EDB5E4B3293F37D60C813674A947F996606A6289204C04D2E4315356D92EEEB43FF41D534997DBEBBF960B17F2F24AA731AFE4B7E1
Malicious:	false
Preview:	........5$..e.`...h.h...i.p...j.\|...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.+.....3.....8.....@.....H.....P.....W.....^.....e.....f.....g.....i.....\|.......................O...........G.....b...........D.................0........... .....:.................Y.....t.........../.....^.....n...........0.....X.....i...........c.................W...................................I.....Z................f.....{...........o.................g...........+.....P.................8.....N.................".....1......................@.................?.....R.................;.....G.................%.....0.............................y...................................D.....^.................@.....].................5.....T...........;.....`.....s...........h.................M.......................A.......................W.............................&.................)...................................A.....U................. .....3.................D.

C:\Users\user\AppData\Roaming\GamePall\locales\et.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	475733
Entropy (8bit):	5.456553040437113
Encrypted:	false
SSDEEP:	6144:iX3+xmSYCSnKJ1ONRCOeP+DEmThFC0jmFohW4xSpY0lgtim0DM53j0437PZCfLaQ:W5SZSvrewtHmFoh69M53jq5
MD5:	C00D66D3FD4FD9D777949E2F115F11FB
SHA1:	A8EAAD96CABCDFB7987AF56CB53FA5E16143EC48
SHA-256:	26C438935E3F666329EE8D1DABA66B39179BCF26EBAC902F9B957A784BDC9B4A
SHA-512:	E7E8C083B556DD05874AC669B58A4D1CD05D1E1B771EB4C32942869E387C6FA2B317B5F489138BD90135117DAEB051D96A7823B531DF0303BD4245A036F25A20
Malicious:	false
Preview:	........@$y.e.v...h.~...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.#...z.2...\|.8...}.J.....R.....W....._.....g.....o.....v.....}.....................................................S...........J.....e...........4.....d.....w...........Y.......................u.......................m.......................\.......................[.........................................7.......................;.......................K.......................x...........;.....R.................9.....T................. .....,.............................w...........#......................./.....=.................'...../.................".....1.................$.....,.................O.....g.................4.....J.................,.....O.................4.....A.................=.....i.................&.....7.................#.....;.................?.....Z...........U.................C...................................@.....M...........................................

C:\Users\user\AppData\Roaming\GamePall\locales\fa.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	773397
Entropy (8bit):	5.04618630633187
Encrypted:	false
SSDEEP:	12288:Rpf0JNE8u313uyqoe+srXcfqEdvRmXzoT4WmdAQifaQ2XxFvGk62BtMX9OxRdpxL:RN4E8u313uyqoe+sEqIvRmXzoT4WmdA+
MD5:	C998140F7970B81117B073A87430A748
SHA1:	8A6662C3AABDAC68083A4D00862205689008110C
SHA-256:	182F18E4EFCA13CA59AFD1DF2A49B09733449D42526EE4700B11A9C5E6AAC357
SHA-512:	5A947A44F674F9556FDD44D2E4FF8CF0E0AAC4475FFA12480CA1BD07CFE7514961B7CACE6760189432B4B4BEB5EA5816701158EB3CB827A806F3063853C46D5E
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.#...s.4...t.=...v.R...w._...y.e...z.t...\|.z...}...............................................................................-.....T.....9.......................^...........u..........._.............................H.................a...........S.....f...................................?.................j..........._.............................'...........f.......................I.......................v.............................Q.....u...........}.................S...........).....@...........x.................m...........M.....d...........p.................H.................:...........`.................`...........l...............................................s...........C...........0.....P.......................;...........1 ....V ....q ....+!.....!....'"....I"....."....\|#.....#.....#.....$.....%.....&.....&....j'.....(....l(.....(....W).....)....M....p.....*....n+.....+.....+....d,.....-....P-....x-

C:\Users\user\AppData\Roaming\GamePall\locales\fi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	483378
Entropy (8bit):	5.428549632880935
Encrypted:	false
SSDEEP:	6144:0gE19jr//8e36LTFh20RJrDs6TIOEysaIuLL5yYWyHrE5WacvkoPWmMWO4AMBXH+:0F19f/r5pa35yYdHrE5WaVpoYD
MD5:	1CFD31A6B740D95E4D5D53432743EBF1
SHA1:	20CEEEA204150BD2F7AAE5866C09A3B0AE72D4C5
SHA-256:	F821E06B4BACD9E7660A2D6912A049591FFD56C6D2A0A29B914648589B17B615
SHA-512:	C483B7347F91BE8EE515DCF352A1D7502B9A159EDE35EACCEBAA763B93A625BCE2D0C7D598C2A6111092257D6DAC7A167102E956697210D4694B9812D70C8A94
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.%...v.:...w.G...y.M...z.\...\|.b...}.t.....\|.....................................................................................................^.....q...........7.....j.....}...........Z.......................~.......................s.......................D.....d.....t........... .....F.....`...........C.......................Q.....}.................S.......................T.........................................E.............................k......................./.....P.....\.................).....3.............................p.......................L.......................0.......................%.......................B.............................g.......................e.......................d.......................M.....d.....s...........*.....T.....f...........".....[.....u...........x.................I.......................Y.......................4.....v.......................S.....~.

C:\Users\user\AppData\Roaming\GamePall\locales\fil.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	546749
Entropy (8bit):	5.197094281578282
Encrypted:	false
SSDEEP:	6144:9yXQPElrGUyaX3CC6tD/ty3DQZIbY0eiWFevNnGFZ338mC54Vmj68AR8q0:jPGrGUyaXCo0hn7C5CmF
MD5:	6EDA0CD3C7D513AAB9856EC504C7D16F
SHA1:	BA24C4B994E7866F2C012CCEC6C22DFC1A4FCFF6
SHA-256:	3CD2BC9E887663C5E093E0334BC60CF684655A815E3DE7AD9A34BAD5EBB858B1
SHA-512:	47000F5EA882CB9EDDCF4FB42ED229423EE55AA18B4A4353D7EF85ADFA7E1B0BBB33C2469887224D7146B3E33FB2296749CD053D68D7DAF26980BC710A27C63E
Malicious:	false
Preview:	.........$..e.@...h.H...i.^...j.j...k.y...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.......!.....&...........6.....>.....E.....L.....S.....T.....U.....Z.....g.....\|.................K...........:.....X...........O.................Q...........>.....e...........Z.......................~.................%.......................h.................H...........^.................M.................!.................H.....b...........].................V...........B.....d...........#.....N.....k.................A.....N.................,.....;.................S.....i...........5.....k.....z...........=.....o.....}...........>.....o.....}...........@.....r...................................R.......................L.......................<.......................e.................U.................F.....`...........>.....q.........................................%.................4.................4.................J.....b.................B.....X...........N.......

C:\Users\user\AppData\Roaming\GamePall\locales\fr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	568277
Entropy (8bit):	5.380723339968972
Encrypted:	false
SSDEEP:	12288:jAnyjhCfqwFZLiQphDDq6QuaMV5wKzQOtX1Z/MYnYtYAXfyzku5Qx0JSWkv40wC9:DwfKsV0v5Dv
MD5:	D185162DF4CAC9DCE7D70926099D1CF1
SHA1:	46594ADB3FC06A090675CA48FFA943E299874BBD
SHA-256:	E40C07183A32B75930242F166C5AAE28F4CD769BB2268391BEAA241814E7D45A
SHA-512:	987D9CC6AD5F2ED6A87537FDADF105F6EB31A97B11156E70814FE021047E5D8D08398F008812038DF3CCDCB6254BF5B744D9982FE04F79D407AC2F53BB046E25
Malicious:	false
Preview:	.........$..e. ...h.(...i.9...j.E...k.T...l._...n.g...o.l...p.y...q.....r.....s.....t.....v.....w.....y.....z.....\|.....}..................................... .....'.........../.....0.....2.....B.....P.....b.....q.................6.....X...........?.................'.................(.................W.................4.....`.....p...........D.........................................{...........(.....L...........*.....i.....{...........S.........................................}...........i.................N.......................H.....r.................N.......................f.......................}.......................x.......................e.......................d.................+.................&.......................8.....~.......................k.................0...........;.......................f.........................................d.................6...........4................."...................................R.....k.................G.....[...........G.......

C:\Users\user\AppData\Roaming\GamePall\locales\gu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1103776
Entropy (8bit):	4.336526106451521
Encrypted:	false
SSDEEP:	3072:jcdEyVvWvQsIHIwjAwREJKVMjNiT7llj63rhJWlPvpMi5eQWiYJ+WR6/GQoy2zE4:jcdRW7ca43WP5fahqHRT
MD5:	44F704DB17F0203FA5195DC4572C946C
SHA1:	205CBCC20ADCCCF40E80AA53272FBA8CD07389CA
SHA-256:	4B073F08F0C8C035974B5EC43AA500F8BDD50E6CFE91A2FB972A39E0F15ECEDD
SHA-512:	3CFD4501556845141EE9B461C831CA59779AD99F0E83E8D03433DE78D774378E87DE752DD9711C112A0C584259AD1DA6DC891D92F3F447F63A4D84263CD5BFCE
Malicious:	false
Preview:	........4$..e.^...h.f...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.#...\|.)...}.;.....C.....H.....P.....X.....`.....g.....n.....u.....v.....w.....\|.......................&.....b....._.....0.....l....._..... ...............................................a.......................G.................r...........\.....\|....._...........z.......................V...........n.....B...................................7.....4...../.......................".......................4.....p...........P...........E.....m.......................................................................'...........}.......................C.................j .....!....u!.....!.....".....#....\$.....$....K%.....%....R&....{&.....'.....'.....'.....'.....(....b).....).....*....'+.....+....t,.....,.....-....9.....\|............/....W0.....0.....0.....1.....2....33....f3.....4.....5.....6.....6.....7.....8....<9.....9....\|:....H;.....;.....;.....<....s=.....=.....=.....?.....?.....@

C:\Users\user\AppData\Roaming\GamePall\locales\he.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	681555
Entropy (8bit):	4.658620623200349
Encrypted:	false
SSDEEP:	12288:WpoaixZvjhpxS28YeqhCTrNGmnSWqo/IoXOl60pAC2XbheQCap125EVGo94N5plo:raY9xr5Jof
MD5:	E75086A24ECAA25CD18D547AB041C65A
SHA1:	C88CE46E6321E4A21032308DFD72C272FB267DBD
SHA-256:	55BE8A5ED9FB9C129AC45B7FC99574B9907350AFD024BAA5D07525F43E995F6B
SHA-512:	01D7FDD90B8D0D3779B8442250E2AA767481B2E581F880BF9C3DCBB15FCE52E477B1881F3704FBCB3172DB77DB10241BCB24851BFE30066D1E9B66244B3C6877
Malicious:	false
Preview:	.........$..e.....h.....i.....j.'...k.6...l.A...n.I...o.N...p.[...q.a...r.m...s.~...t.....v.....w.....y.....z.....\|.....}.........................................................................+.....D.....].....z.....?...........~...........).............................O.................T...........#.....E...........:.......................w.................W................./...........F.................V...........5.....T...........K.................3.............................o...................................E.........../.....a.....t.............................z...........,.....?...........5.....v.................q.................5.......................r.................1...........X.................I.......................y.................$.................k...........).................!.......................#.................7.....P...........e.......................e.............................w...........W ..... ....$!....K!.....!....7"....g"....."....@#.....#....-$

C:\Users\user\AppData\Roaming\GamePall\locales\hi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1167065
Entropy (8bit):	4.308980564019689
Encrypted:	false
SSDEEP:	3072:iThcTTz73y8mSKxbap2jSV9wuHfV/BB0ZV1d1muOlRLXW3XHij0TByntDPtDlSpq:iq/3y3LagjSV9wuWyQ5s5Nhnn
MD5:	1FF8A0B82218A956D2701A5E4BFA84EF
SHA1:	56BB8218963E14ADCC435F2455891F3A0453D053
SHA-256:	62E7C3ABC317931723BE11ADD3712DD15EAAB0A35A4D8E7DB0B6347104EC5733
SHA-512:	3330D983401953AA5ED4856A8D10FFCBEEFC2A4E594CF850566A0AD38837BC1164870BB1270B6BBE5D7DD6FB1ECA29CDE85869A5C51808B901CDC282E04764E4
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.%...n.-...o.2...p.?...q.E...r.Q...s.b...t.k...v.....w.....y.....z.....\|.....}...............................................................................?.....j.............................................../.....j.........................................N.....}.....P...........^...........F...........A.....d.....K...........N.............................L.....&...........V...........f...................................L.....~.................{.................A.................y..........}...........;........................................[.................,.....K...................................j ..... ..... .....!....J".....".....".....#.....$....T%.....%....@&.....&....8'....d'.....'.....(.....(.....(.....)....6..........*.....+.....,.....-....c-......................%/.....0.....0.....1.....1.....2....i3.....4....B4.....5.....6.....7.....7.....9.....9....S:.....:.....;.....<....F=.....=.....>....N?.....?.....@.....@.....A....LB

C:\Users\user\AppData\Roaming\GamePall\locales\hr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	526575
Entropy (8bit):	5.518614920030561
Encrypted:	false
SSDEEP:	3072:zdgTWCQP8wCyCFH9OpEE63aBV08Lwcuo+wvxr0Xcp/A/SOSAqb+HicHE0uP1z4Nd:iT+PE4pEi7cwJPcd75Gr76lx2U
MD5:	0BD2F9847C151F9A6FC0D59A0074770C
SHA1:	EA5313A194E9D99489E9F1D7B4DFC0BC986C8E17
SHA-256:	5F2F1AA2E2EC78F375084A9C35275E84692EE68A1E87BBEF5A12A2C0FCF7F37A
SHA-512:	0032C0B41FDF769DAA1AF23C443D4195B127DF9EA8621174F1AABDBAFAE4954383095FA1EEAD14FC458188B8837BBE9AECA0D5338E4D47F10D976FBED8609496
Malicious:	false
Preview:	........F$s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.)...y./...z.>...\|.D...}.V.....^.....c.....k.....s.....{.................................................................k...........Y.....z...........F.....~...................................e.......................y.......................m.......................l................. .................q................._.........................................A.............................4.......................j.......................D.....f.....w.................*.....:.................4.....I.................&.....5.................8.....M................. .....0.........................................S.....n.................0.....M.......................3....................... .................E.....v...........!.....F.....\...........).....[.....t...........U.................M...........(.....:...........".....`.................G.....v.................$.....B.....T...........0.....n.

C:\Users\user\AppData\Roaming\GamePall\locales\hu.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	566819
Entropy (8bit):	5.6387082185760935
Encrypted:	false
SSDEEP:	6144:eQRmd80ZaJ156ZjnOL42HPs2P3Ar7ky1XB5VwFZfpadYG5uU1gGse33a5TRFGsty:eQRI5aJ18Q5AXB5VwAbj/3a5uTB
MD5:	4C27A1C79AB9A058C0A7DFFD22134AFD
SHA1:	5F0A1B34E808B91ADB1E431E462D9FCF82F4FFF2
SHA-256:	AD98C0A367B51EB217E69D66FA6A946946E85EC8452FC5A7AE0F179F35BE28C3
SHA-512:	0F066DB5905EB24B6CB4FBC7C81F017B43AFB7A6E975886644D871E979406B990509905D100653496EE2D20969A77434B702FF1EA5D348274AE54EA597A91D5E
Malicious:	false
Preview:	.........$..e.....h.....i.!...j.+...k.:...l.E...n.M...o.R...p._...q.e...r.q...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................+.....A.....V.....j.................9.....W...........N.............................................".....X.....q...........K.....r.................Y.................?................."...........I.................7.......................k...........'.....7...........:................./.................:.................Z.....w...........O.....v.................f.................5.................(...........2.....u...................................M.................0...........6.....x...................................m.................)................. .....I.................O.....g...........c.................O.......................E.......................r...........'.....H...........v.............................l...........7.........................................5...........& ....q

C:\Users\user\AppData\Roaming\GamePall\locales\id.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	466959
Entropy (8bit):	5.379636778781472
Encrypted:	false
SSDEEP:	6144:GLaXpeWC+RYgVj5ZabK6s1o8Ff+cVnjHFe6miZ4FZ57VhGwkK5R3SzP7IEji40HQ:GOZbRYgVjmu6F8PVnjHFPmM4b57VhRQ
MD5:	1466C484179769A2263542E943742E59
SHA1:	18E45A08661FD6D34BADE01CDB1E1D5184BA2B67
SHA-256:	C331293D16B16B08DEF73BE73437845D58C593941320C547A377DB423749AEBB
SHA-512:	ABC54D5CAAA663578F064E43CC0465BEB97EFC46991936708EBF3FCD64BD007E47072AB4834A5361B21F064BB0F6527E247BC2C2F0DFB8336F50C2FF3E15A59C
Malicious:	false
Preview:	........ $..e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....V.....c.....s.................k................. .....l.......................l.................-.......................0.............................R.....s.................I.....x.................T.......................@.....j.....w.................L.....Y.................Z.....m...........H.......................%.....@.....Q.............................c.......................<.......................#.....t.......................L.....x.................%.....R.....^.................>.....K.................5.....G.............................J.......................".....h.......................L.....}.................#.....=.....K.................+.....:.................2.....K...........C.......................u.................,.....\|.......................C.....b.....r...........1.....h.

C:\Users\user\AppData\Roaming\GamePall\locales\it.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	522800
Entropy (8bit):	5.284113957149261
Encrypted:	false
SSDEEP:	6144:ujs00Cb2DBUItx92+fMiMNDYISIqRRRsO1StBWRT9Tjex6qipELqb2pzHi9fLwsW:Ks0bSH6mZD38H04KUp05HloP
MD5:	7767A70358D0AE6D408FF979DF9B2CD4
SHA1:	9C57A5B068DC12AAF1591778DEF5D3696377EDAB
SHA-256:	672908E77E9EACA793654C8E630442099DE3BE772FD3230A9C4045CAFBCC0B1E
SHA-512:	913AA8C49D04CD84706D08A88453D1ED36FDE6A00F7C1DF63DECEA99316A8A234924457C0C50937329B3979E437B1C2D7796E63ADF209505E212FDCEAE3BFDB5
Malicious:	false
Preview:	........-$..e.P...h.X...i.i...j.u...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.$.....,.....1.....9.....A.....I.....P.....W.....^....._.....`.....b.....u.......................E...........3.....O.................V.....g..........._.................o...........#.....L.............................k.......................n.................2..................................w.................5.......................R...................................c................./.....[.....y.................=.....K.............................x..............................................`.......................4.............................^.........................................B.............................F.....\.....r........... .....L.....a...........=.......................b.......................8.....c.....v...........[.................c...........S.....j...........d.................[.................).....v.......................X.............

C:\Users\user\AppData\Roaming\GamePall\locales\ja.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	634636
Entropy (8bit):	5.718480148171718
Encrypted:	false
SSDEEP:	6144:vFKfek4L5DTNJL+i4+tZKQ2lMzbU5AhAxVH:vQfYdDh9jtZKQ2lMM5Aha
MD5:	4A4AF69546DCF65F2D722A574E221BEA
SHA1:	EE51613F111CF5B06F5605B629952EFFE0350870
SHA-256:	7AD195AF107F2A394BAB527C3E84E08F3B7748076F23459F084CF0E05DD29655
SHA-512:	0E93F6B22F7C9176EFC9D49901BFBD281FA5AC3632780DFA76CE597CADD8C1CF570A9163A86BC320BBFBD354F48288DBEC5E36A6088999B00A3561D302A96D03
Malicious:	false
Preview:	........n#K.e.....h.....i.....j.....k.....l.....m.....o.%...p.2...q.8...v.D...w.Q...y.W...z.f...\|.l...}.~...............................................................................................6.....W...........}.................l........... .....8...........c.......................B.................W.......................x...................................7.....V...........e.................=.......................].......................{...........#.....2...........y.................`...................................<.....W...........j.................y...........e...................................h...........(.....:...........%.....a.....p...........{.................}...........m..................................._...................................Z.....x.............................o...................................:.....U................d.....z....."................?...........X.................`.................@.................g............ ..... ..... .....

C:\Users\user\AppData\Roaming\GamePall\locales\kn.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1256908
Entropy (8bit):	4.247594585839553
Encrypted:	false
SSDEEP:	12288:uCTfkA6GtYQnVY2oE67c577UKc+E+htuYw:vKa5XUd
MD5:	6A41A5AB03A22BDAEC7985B9A75EC11A
SHA1:	6BB02DF557BD6522E02FE026C0243BEB9332B2E5
SHA-256:	E22873652AC7D9D18E47DAE838D121B5644EDA4C67F7B0BC110733BF7E931FEA
SHA-512:	BCA661D802D29463A847AC77EB8D5DFA41C31455E7314049CA26555957DCA3BE33701C074F7ED26D2C375A0A9C5F8A93461007B8D74F5ED3BD27C02E5DB170A5
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}.................................................................W...........".....V.....W...................................n...........b............................._.......................<.....)...........s.......................).............................1.....7...................................[......................................................................u...........f...........K.....^........................ ..... .....!..../"....i"....=#.....#....r$.....$....I%.....%....l&.....&....p'....((.....(.....(.....)....N...............,.....-.....-................./.....0....W0.....0....z1.....1.....1.....2....Y3.....3.....4....@5.....6.....6.....7.....8.....8.....9....V9.....:....R;.....;....1<.....=....B>.....?....]?.....@....DB....BC....wC.....D.....E.....F....$G....\H....AI.....I....4J.....K.....K.....L....PL.....M....lN.....O

C:\Users\user\AppData\Roaming\GamePall\locales\ko.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532715
Entropy (8bit):	6.0824169765918725
Encrypted:	false
SSDEEP:	12288:FrJ83zNWTvTjXKcat8OQ4EVhG1KACqX567GGq+8Mttq7hUomrOeWl+:FruH3588Z7l+
MD5:	5FD9942F57FFC499481947DB0C3FDFA7
SHA1:	4D60AB21305902877467FF6151C1B7AB12553AAE
SHA-256:	09E279860E20E9E559945940E29446CAD4273D05C5F3F15D0BAD664A1D5749F2
SHA-512:	97953E580588C07769F1BD0002E2DF648FFCE5B246D2359E4475EDCFA1CD6E7286BAF168A115D7A65686B2151C313B6FD0C271E40B1F9DD4132F2F39904FE8D4
Malicious:	false
Preview:	........O#j.e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.#...z.2...\|.8...}.J.....R.....W....._.....j.....r.................................................................].................5.................O.....b...........F.......................p.................'.......................,.......................;.......................L.......................e.......................Y.......................X...................................Q.....h.................>.....U................. .....0.........................................-.....I.................A.....Q.................L....._.................K.....[.................J.....Z...........O.......................Z.....{.................U.....}.................`.................%.......................J.............................h.......................\.................+.......................m.........................................'.............................x.........................

C:\Users\user\AppData\Roaming\GamePall\locales\lt.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	573015
Entropy (8bit):	5.63016577624216
Encrypted:	false
SSDEEP:	12288:Lg7mwvXReMAg8m5QI963AS572zJbrWCO6SjM:LWmwvAMf77S5Ob6CZ
MD5:	8745B87D09D9ECC1112C60F5DD934034
SHA1:	2F411E4EEF0E656CAC0C755FECE1AD2531CB689E
SHA-256:	D546C994C81510122E7B2359DA50F694E1F0CA4081830404E16187A5CF4D4E0D
SHA-512:	27B658C153A01AABB9595C5B1059567E535EDFC8F8187B89316D2C85694DE32696D209CFDD2A32C4826DFB1E50AC692937156563EE190E68DB358C40F9AAE15F
Malicious:	false
Preview:	........+$..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}. .....(.....-.....5.....=.....E.....L.....S.....Z.....[.....\.....^.....l.....y.................4...........".....=...........S.................M...........'.....A...........8.....p...................................A...................................B.....g...........z.................R...................................;.....K...........c.................T...........2.....P...........2.....Y.....t...........W.........................................E...................................D.....S...........Q.........................................S.............................B.................&.......................t...........1.....Y...........K.................+.........................................'...........N.................A.................,...........q.................d...........&.....F...........x.................(.......................H ..... .....!

C:\Users\user\AppData\Roaming\GamePall\locales\lv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	570683
Entropy (8bit):	5.624052036286866
Encrypted:	false
SSDEEP:	6144:tNNTAgEq8RFSv528c6ZyJxyNGtVF2tPiz7c4YbUSZbb3n5KygNgE/J5gosRyEAYd:t2cvn8ipizw4XkXn5pEh50yMZhd
MD5:	E16B0B814074ACBD3A72AF677AC7BE84
SHA1:	10744490B3E40BEB939B3FDCA411075A85A34794
SHA-256:	46B5C09AA744AF0F660C79B0CDBDE8C8DBDD40A0BA1A23AAF28D37ECC4211DC5
SHA-512:	70EA9DFAC667C0992AE0E95815A47EB8E779BAAE1215E733AFE84EEE26D3BA754AD838C12E9AEE3114D7BBE11CD21B31C550F5CAFE6C5E838B69E54C6174EF18
Malicious:	false
Preview:	........O$j.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.;...y.A...z.P...\|.V...}.h.....p.....u.....}...................................................................................Z.................G.................%...........Z.................F.................6.................Q.....\...........Q.........................................\|.....#.....t...................................W.................0...........T.................B...........8.....Y...........$.....J.....`...........-.....V.....h...........;.....b.....v.............................G.......................r.........../.....>...........'.....Z.....k...........c.................@...........3.....K.................).....>...........=.....t.................c.................(.................2.......................8...........<.....q.........................................:.................8...................................N.....^...........0.....K.....m............ .....

C:\Users\user\AppData\Roaming\GamePall\locales\ml.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1307271
Entropy (8bit):	4.279854356980692
Encrypted:	false
SSDEEP:	12288:HhSK0A2cMmsbbAxqInxb/D/xn9mMRTAr6DhPQA+tHxy3ewh+53R7dC4s/fv3iWr:HhEzozqry3e753R7xs/X3V
MD5:	309E068B4E15157486D095301370B234
SHA1:	D962CDAF9361767045A928966F4323EAD22D9B37
SHA-256:	4F2C19B7E94B695C5C5CAB95DEE6E49AE53C3337C351B5C665BCB6BA4E6AE909
SHA-512:	6B1333946C7950D97D2DF29D063DB39A0EC5C0EEAA1ECA40743E4A6A0E4C972D897D3FF2BA837B53E31B8003F2C5C4BACCB7A4AB4B50C6CB47DF39AD7B8E05E7
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...\|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.............................^.............................j.......................\|............ ..... .....!.....!....".....#.....#....V$.....$....n%.....&.....&.....&.....'....n(.....(.....)..........*....W+.....+....c,....+-.....-.....-...........0.....0.....1.....1.....2....!3....Y3.....4.....4.....5....T5....06.....6.....7.....7.....9.....9.....:.....;.....;.....<.....=....Z=....\|>....s?.....@....T@.....A....UB.....C....SC.....D.....E....yF.....F.....G.....H.....I.....I....-K....(L.....L.....M.....N.....N....eO.....O.....P.....Q.....R

C:\Users\user\AppData\Roaming\GamePall\locales\mr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1075591
Entropy (8bit):	4.313573412022857
Encrypted:	false
SSDEEP:	3072:IdobAeuAdmMcQq9Vth6iQm0vLJuVXrMHwrNf3FaMUCyGR93RkR3bntOubz1hzudo:kBrhP0pJvC3YGINa5apw7xM
MD5:	69C36C23D6D9841F4362FF3A0F86CFDF
SHA1:	C4C1F632EB8373107AEEBD6C26ECF036AEDA2B6B
SHA-256:	6A794C2B08F8B046BE771DF33719536BDAF2371E3825D49A0E556958B781832D
SHA-512:	8C1329BDB371677BC0A9D727A38591EDF32025BAE1E7EFE402D01C6A8BB5F647D827C59A18F40455D5C9C0482798525C98C3F1C8AC568AA886D7C1ED07D1580E
Malicious:	false
Preview:	.........$..e.....h.....i."...j.....k.=...l.H...n.P...o.U...p.b...q.h...r.t...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................@.....b.................%.....]...........W.................J.............................:.....@.....=...................................&.................&.....F.....P.......................h...........o...............................................c...................................R..........._.................i...............................................J.................. .....!.....!....(".....#.....#....O$....{$....B%.....&....c&.....&....F'.....(...._(.....(....R).........y.....*.....+.....-.....-................./...../...../.....0....61....l1.....1....Z2.... 3.....3.....3.....4.....5.....6.....6.....7.....8.....9....E9....u:....n;.....;....@<.....=....O>.....?....5?.....@.....A.....B.....B....MD....WE.....E....eF....nG....LH.....H.....H.....I.....J.....J.....K....5L....)M.....M

C:\Users\user\AppData\Roaming\GamePall\locales\ms.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	489457
Entropy (8bit):	5.250540323172458
Encrypted:	false
SSDEEP:	6144:vmcUWQ6L+c0ABZU+JsxJwCuMlG0j2sUcSP57lRKsMyYlEFU:UWBiKU9xJblGu2j5LhMN
MD5:	A1253E64F8910162B15B56883798E3C0
SHA1:	68D402D94D2145704DC3760914BF616CC71FC65D
SHA-256:	E033BFAD6CD73EA7B001DFAF44B7102E3BBE2A1C418F005C149E4FB2565DB19F
SHA-512:	ABD63713093049ECC8E24FD8145EAE065340058A3C38758A59EE8796FBED7E6CFBC54982D650889F1CEB54797060C7DDA12EEE2A963B14C5E907A110C2057DBE
Malicious:	false
Preview:	........T$e.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v./...w.<...y.B...z.Q...\|.W...}.i.....q.....v.....~........................................................................................._.....{...........:.....n.....~...........\.................#.......................=.......................1.......................3.......................Y.................*.....z.......................W.......................E.......................b.........../.....A.............................N.......................$.....x.......................r.......................z.......................p.......................^.......................Q.......................r.................!.....s.......................S.....w.................6....._.....p.................T.....w.......................#.......................$.................2.....K...........B.......................s.................,.............................P.....r.................0.....].

C:\Users\user\AppData\Roaming\GamePall\locales\nb.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	476208
Entropy (8bit):	5.4272499712806965
Encrypted:	false
SSDEEP:	12288:tWg5xWMIiM/YAwOp7fUB4a+O5/v4xizdvn:lTWJiBaa+O5X4kzx
MD5:	622ED80836E0EF3F949ED8A379CBE6DF
SHA1:	9A94CD80E747B88582470EF49B7337B9E5DE6C28
SHA-256:	560B2F09C1B6E6BB7E6A5A5F9BF85A88BD2ACA054B7D4A5955D9C91B6D7CA67C
SHA-512:	950627E74180E1451BB35AE4A7416AC14D42D67BBBB59DC51D7B69E4CEB61715F8F9B0EB9D7F35FCEFD4D43FABE5CE2103F1AF3709CAE6733C25AC19E6339A83
Malicious:	false
Preview:	........2$..e.Z...h.b...i.y...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.....}.......................N...........A.....V.................X.....k...........z.................K.......................L.......................:.......................;.......................g................./...........<.........................................R.................1...........Q.......................\.....u.................1.....V.....f.................9.....I.................H.....\.................J.....Z...........".....T.....d.................@.....P.................<.....J...........4.....y.................B.....h.....{...........&.....E.....^.................-.....?...........,.....k.................V.....\|.................b.......................i.................&.......................s...........9.....b...........*.....V.....i.................".....0.................).

C:\Users\user\AppData\Roaming\GamePall\locales\nl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	491139
Entropy (8bit):	5.362822162782947
Encrypted:	false
SSDEEP:	6144:v+rgHaGglVZ5Rb23gihngHh9gog5CHLp7hh45Pt8xcGpF9u+59OTD:2sy/5Rkagog5OR45Pt8xcGpF9uMOTD
MD5:	C8378A81039DB6943F97286CC8C629F1
SHA1:	758D9AB331C394709F097361612C6D44BDE4E8FE
SHA-256:	318FB294CE025BDA7636B062CA7B6A1FB1E30C485D01856159CB5DB928782818
SHA-512:	6687FFE4DE0D5A2314743EB3134096292724163D4E0332D2F47922B4807B0CDE7C20E2D57D2662E403D801BC7A20BC247F5D0EDD787AB650E5766B49AF7D3C63
Malicious:	false
Preview:	.........$..e....h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................#..........1.....8.....9.....:.....<.....H.....X.....i.....{.............................X.......................\|...........4.....J.................M.....d.................8.....G.......................).................8.....Y...........1.....h.................F.....{.................U.........................................\.................4.............................Y.......................-.....~.......................}.......................v.......................V.......................5.....a.....n...........*.....^.....m...........I.......................X.......................>....._.....v...........,.....T.....f...........8.....o.................=.....[.....o...........3.....e.....v...........H.....................................................E.....j...........5.....f.....{.................B.....R.................B.

C:\Users\user\AppData\Roaming\GamePall\locales\pl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	550453
Entropy (8bit):	5.757462673735937
Encrypted:	false
SSDEEP:	12288:ilOHODZWoOB/ohU/FmXgvh6HA7b0mPeCUd0e3mPUbEmw1QhWRH5RbL4fqhx:ilOHcntp01Qhc5BH
MD5:	80C5893068C1D6CE9AEF23525ECAD83C
SHA1:	A2A7ADEE70503771483A2500786BF0D707B3DF6B
SHA-256:	0069648995532EFD5E8D01CC6F7DD75BD6D072E86C3AE06791088A1A9B6DACC4
SHA-512:	3D1C41A851E1CF7247539B196AD7D8EE909B4F47C3CFB5BA5166D82CDA1C38049B81A109C23FA6D887490E42EE587CC2A6BD96A3EA890267C089AC74710C755F
Malicious:	false
Preview:	........6$..e.b...h.j...i.{...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|."...}.4.....<.....A.....I.....Q.....Y.....`.....g.....n.....o.....p.....r.............................X...........S.....o...........=.....w...................................i...............................................z.................$.................1.....W...........M.................*.......................@.......................l...........0.....L...........].................9.....v.......................E.....h.....x.................,.....:.................<.....P.................>.....P.................6.....F.......................-.........................................e.....}.................4.....K.......................;.................+.....@.................a.................+.....I.....`.................9.....U...........2.....}...................................w...........'.....R.................9.....J.............................v.............

C:\Users\user\AppData\Roaming\GamePall\locales\pt-BR.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	516256
Entropy (8bit):	5.426294949123783
Encrypted:	false
SSDEEP:	6144:1UhHzMCHTKZbciymNBXBL29RlMyE156UJuKbjsRhk8HR:1iTMCHepyy5BJrsRK8x
MD5:	3BA426E91C34E1C33F13912974835F7D
SHA1:	467A1B05BAD23252A08EE22E6B9EBB4404F6A0F0
SHA-256:	CB66D88D3B3938FE1E42C50ECB85CEDB0D57E0F0AB2FA2A5FC0E4CDEA640E2B7
SHA-512:	824A4301DC4D935FF34CE88FAA0354440FC1A3A8E79B0F4B0B2DCC8F12542ECEF65828FB930EDF5B35BF16863296BBAE39E9306962B4D3CFA9F6495AC05BDEF4
Malicious:	false
Preview:	........9$..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.$...\|.*...}.<.....D.....I.....Q.....Y.....a.....h.....o.....v.....w.....x.....}.............................d...........L.....h.........../.....h.....x.............................w.................(.....y.......................^...................................:.....j..........._.................:......................._...................................K.....d...........p.................5.............................q.......................n.......................w.......................p.......................O.....}.................).....W.....a.................V.....g...........b................. .....j.......................;.....a.................=.....U...........N.................2.....W.....p...........8.....p.................S.................@.................0...........1.....{.................X.......................0.....V.....k...........C...................

C:\Users\user\AppData\Roaming\GamePall\locales\pt-PT.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	518861
Entropy (8bit):	5.4029194034596575
Encrypted:	false
SSDEEP:	6144:duLNFZMWdTu4PJzwfieJVJJxhofzlCOfVY35WKfmSRtG:dIFOQu4Ru35WK+SRI
MD5:	4D7D724BE592BD0280ED28388EAA8D43
SHA1:	8E3C46B77639EB480A90AD27383FBB14C4176960
SHA-256:	4724D82866C0A693C2B02D1FFA67D880B59CDB0D3334317B34EC0C91C3D3E2A2
SHA-512:	D05388F66C50E039F7D3393515740F6B2593F9C0EF8651F9CDE910C5FF06656E0D22FDB066B22665289EE495837EA16CC085ECB3F85B0F6FB498AECDAA19ADF7
Malicious:	false
Preview:	........I$p.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v."...w./...y.5...z.D...\|.J...}.\.....d.....i.....q.....y.......................................................................u...........Z.....u...........@.................).................$.................S.....w.................D.....T.................(.....:...........(.....j.................x.................H.......................g...................................9.....N...........D.......................p.......................^.......................a.......................q.......................r.......................U.............................[.....e.................P.....a...........?.......................O.....y.............................?.................0.....J...........#.....p.................9.....c.....u...........#.....Y.....n.........../.....}...............................................G.....k...........N.......................B.....g.....\|...........J.......

C:\Users\user\AppData\Roaming\GamePall\locales\ro.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	537125
Entropy (8bit):	5.4566742297332596
Encrypted:	false
SSDEEP:	6144:OM7ZImGlQNYzdJu7XTLH/7FSmoixefinKdoGN5QBo4s2e/umOz:OM7umbN887XTLjFSmoEeqKdN5ooD/iz
MD5:	4F1C0A8632218F6FEF6BAB0917BEB84F
SHA1:	05E497C8525CB1ADE6A0DAEFE09370EC45176E35
SHA-256:	9C19835F237B1427000D72C93703311CFCBEFF6C2B709474B16DB93E629BC928
SHA-512:	A7CDF94F79CD888BB81FD167F6B09BF1BEF2C749218869E5A12A0A3B2C2506D1A63F64B63D8E48EA49375636041C639082563BF9D526FE44003FC5A5E8D50E9D
Malicious:	false
Preview:	........0$..e.V...h.^...i.o...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....u.......................3.................+.................%.....9...........@.................1.......................Q.......................4.......................C...................................>.....b...........@.......................d.........................................p...........@.....n.................+.....H.............................h.......................M.......................J.......................7.............................].......................E.....t...................................?.............................W.....w.................\.................).......................f.......................W.........................................'...........$.....y...................................f.......................j.......................l...........+.

C:\Users\user\AppData\Roaming\GamePall\locales\ru.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	878725
Entropy (8bit):	4.848685093578222
Encrypted:	false
SSDEEP:	12288:tIoWrxfQjRo4YK7yMhNKgNzJ9fx+aAka2qSGsN8zqcnYH8eXN2hPO3j/zpbzvMwD:t5W2hM5a6Ev
MD5:	3A3D0D865A78399306924D3ED058274E
SHA1:	AA1A42DB6021666B2297A65094D29978792CE29B
SHA-256:	EAB4C32FEBE084CC7A3A272CDA008B69D6617ED6D042376B0316BE185B9E66FE
SHA-512:	ACA8C87D0B2BB35A325726F7774F8A0232B99C8EFE0F948AB68210958E23B95E9D9026A9430D96FC2D5CEBA94815F4217896EF877C9A6E1D0E56F73533FB1D12
Malicious:	false
Preview:	.........#/.e.....h.....i.#...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....\|.....}.........................................................................9.....V.....n...........V.......................g...........i...........l.....).................g...........,.....f.......................@.................6.....M......................./....."...........l..........._...........D.....y..... .................&.......................5.....9.....3.............................B.................r.................D...................................=.....b.........................................E.....\...........Y.................'...................................D.....n...........j.................9.......................a...........i...........v...........t...........a........................ ....,!....l!.....!....j"....."....R#....\|#....O$.....%.....%.....%.....&....x'.....(....Q(.....(....z).....).....)....]..........+....$+.....+.....,.....-

C:\Users\user\AppData\Roaming\GamePall\locales\sk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	553886
Entropy (8bit):	5.812150703289796
Encrypted:	false
SSDEEP:	12288:qYdqsGk2Rswyzir+e/5ybvfLe3HXLPxt9B:qYdqshwyk/5WLOlt/
MD5:	A9656846F66A36BB399B65F7B702B47D
SHA1:	4B2D6B391C7C2B376534C0AF9AA6779755B4B74E
SHA-256:	02B65F48375911C821786D91698E31D908A4C0F5F4F1460DE29980A71124480E
SHA-512:	7E23CAA89FF80BF799AC5353CEAF344CBED0393F23D15FCBE8DC24EE55757F417CEA3BFC30889FD2CB41951F9FA5629C2E64B46DD9617D4A85EFEF0A255246F6
Malicious:	false
Preview:	........5$..e.`...h.h...i.\|...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.%...}.7.....?.....D.....L.....T.....\.....c.....j.....q.....r.....s.....u.............................h...............................................[.........../.....I.................S.....j...........9.....h.....{...........4.....].....q...........J.................?.............................%.....`.....y...........\................./.............................%.....v.................G.....g.....\|...........=.....c.....u...........6.....].....o...........O.........................................".......................3.......................R.............................-.....x.................0.....K....._.................0.....E.................G.....W...........T.................).....w.................-.......................M.............................O.................J.........................................'.........................................E.

C:\Users\user\AppData\Roaming\GamePall\locales\sl.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	532410
Entropy (8bit):	5.486224954097277
Encrypted:	false
SSDEEP:	6144:xh5Gk07QLr32zTMCB29i2iM8nnbrNjSdum4ocyxPbPD+DgpvubVmavfDszt55J36:xzqroCB2T+cM+p5XLcaJHjcGi/fzICqU
MD5:	BE49BB186EF62F55E27FF6B5FD5933F4
SHA1:	84CFD05C52A09B4E6FA62ADCAF71585538CF688E
SHA-256:	833F2E1B13381AA874E90B747931945B1637E53F2396A7409CCDA0A19CBE7A84
SHA-512:	1808631559D3C28589D3F5A4B95554CEBC342DE3D71B05DDC213F34851BF802967BFFAC3D7668C487265EE245D1E26EFCE5D317EDBFBBEEB4BC2C9F122980585
Malicious:	false
Preview:	.........$..e.....h.6...i.G...j.Q...k.`...l.k...n.s...o.x...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................%.....,.....3.....:.....;.....<.....>.....P.....^.....n...................................y.................&...........2.....}.................h.......................g.......................Z.......................v.................O...................................3.....I.................T.....h...........b.................S...........$.....J.......................(.............................n.......................z...........$.....8.................2.....C...........).....j.................;.....i.....\|...........?.....q.................[.......................g.......................L.....j.................G.......................~.................I.......................B.......................b.............................^.............................o.........................................j.......................x.......

C:\Users\user\AppData\Roaming\GamePall\locales\sr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	818089
Entropy (8bit):	4.779985663253385
Encrypted:	false
SSDEEP:	12288:2wXfBMlzA74ddLYbeHIdN4SGdEzWeUnLYA1785f91Mxix9d8G37gjeAS/k//:7BMl1+kx85ox8Y
MD5:	AFA2DFBA3BD71FE0307BFFB647CDCD98
SHA1:	CD7A5C54246E891981AEEEAA88D39EC9E3F2C594
SHA-256:	1375353837629A20102C69BF62701EE5401BED84D3DC4845BED5EE43E4D322CF
SHA-512:	CE8BBBDDC33CB6B8DF4AEE127A8987E6D8C1D0761AC5BD25D685310BAA2D377F239BDF06F2C04B54295CF8FD440697A69A040644D5A7C0395C4F71A0252B8E87
Malicious:	false
Preview:	........=$\|.e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...\|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~.........................................).................W...........O...........\...........z.....E...................................3...........b.................a.................5.......................1.....1...........v...........\|...........{...........`...........Y.....~.....d...................................S........... .......................{...........(.....K...........H.................c...........d...........3.................)...........B.................D.................(...........W.......................E.................~...........'.....O...........^.................~ .....!....]!....z!....J"....."....=#.....#....0$.....$.....$.....%.....%....P&.....&.....&.....'....1(.....(.....(.....).....*....5+....S+....A,.....,....Z-.....-....^...........=/....^/...../....Y0.....0.....0.....1....'2.....2

C:\Users\user\AppData\Roaming\GamePall\locales\sv.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	479512
Entropy (8bit):	5.541069475898216
Encrypted:	false
SSDEEP:	6144:nCOvlCAE5I3POziaLh11OBIrknaI4FwxgufNfhn4RFcmi8G96iMjSOwDE/xWcqVM:nCONCAUIONwIrJFav5A5Gcb
MD5:	09592A0D35100CD9707C278C9FFC7618
SHA1:	B23EEF11D7521721A7D6742202209E4FE0539566
SHA-256:	9C080A2F6D4EDF0E2E94F78550B9DB59ADF5B1B9166DE2BAE496E6ABB6733304
SHA-512:	E0760B3F227A3E7EAEB4816B8E02BEE51C62730D24403724D66B36BCCBC0BDCD56DF9EAB28B073AB727EE12C8856A858E52A9803E1A1C9164FCD3CF2F716D8AF
Malicious:	false
Preview:	.........$..e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.\|...t.....v.....w.....y.....z.....\|.....}.........................................................................#.....5.....I.....]...........b.................).......................e...........2.....K.................T.....p...........&.....U.....e...........%.....V.....f...........J.........................................O.......................Y..................................._.....u.............................n.......................J.......................'...............................................(.............................z.......................j.......................h.......................\|.................$.....w.......................M.....k.......................?.....Q...........).....f.................J.....i.................;.....c.....x...........1.....l...................................q.................?.................;.....N.............................p.............

C:\Users\user\AppData\Roaming\GamePall\locales\sw.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	504856
Entropy (8bit):	5.34516819438501
Encrypted:	false
SSDEEP:	12288:77eon/zb9IzbIcvt5cuCERdyU7bQg8Wo67pJ8zvgu35Agb95H4sKPe/Bruf+:Go/z2z853z
MD5:	9E038A0D222055FED6F1883992DCA5A8
SHA1:	8FA17648492D7F093F89E8E98BF29C3725E3B4B5
SHA-256:	DDCA575D659545D80E715EB4176BBBBFBD3F75E24B223537B53740B0DCB282BD
SHA-512:	FB70F97E08191DFEB18E8F1A09A3AB61687E326265B1349AB2EFF5055F57E177A496BF0EA3592B61C71FE1F73C9143CA1495B05226F36EB481024827CAE6DCC4
Malicious:	false
Preview:	........4$..e.^...h.f...i.q...j.}...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.,.....4.....9.....A.....I.....Q.....X....._.....f.....g.....h.....m.............................?.................$.................2.....D...........7.......................P.......................A.....l.....{...........&.....U.....c...........0.....d..................................._.......................m.......................n.............................*.......................J.....r.......................>.....G.........................................A.....O.................4.....F.................G.....R.................).....6.................).....2.................\.....u...........(.....T.....p...........2.....c.................D.......................l.................B.............................j.................+.......................j...........?.....S...........5.....x...................................P.......................r...........%.

C:\Users\user\AppData\Roaming\GamePall\locales\ta.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1298313
Entropy (8bit):	4.058495187693592
Encrypted:	false
SSDEEP:	6144:DyM7zFIW2Yt1s6Tyk0vh54P50zxtR1cA25tm1vYpiMyS:DyEFN2wTTwzy50zzcA25tm1vYpiMyS
MD5:	36104CB0D5E26E0BBB313E529C14F4B4
SHA1:	69A509DEE8419DA719DCF6DE78BFE0A6737508C5
SHA-256:	DC28C869A143424F71EDCFDB08B56DA31C2EC96E9D608535FFA7DC0B0842B7D8
SHA-512:	D46ED1AA19EB298BC4C3D61EFC28D80753D6B551F01808E6158A0869FAAE8755DF61D4B4BAFF1310DD09FCFC385ABA67E1AA7D61BBE399DF7BB2D483EBE0FEFF
Malicious:	false
Preview:	.........$..e.(...h.0...i.A...j.M...k.\...l.g...n.o...o.t...p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}...............................!.....(...../.....6.....7.....8.....=.....k.................:...........5...........$.....v...........`...........(...........Z.................%.............................O...........j.....L.........................................m...........u...................................;.....c...........7.................................................................8 ..... ....m!....I".....".....".....#.....$.....%....9%....d&....n'.....(....L(....C)....4..........*.....+.....,....3-....a-....Z.....J/...../...../.....0.....1....Z2.....2.....3....:5.....6....Z6....U7....=8.....8.....8.....9.....:.....:....F;.....<.....=.....=.....>....E?....S@.....@....[A....3B.....B....IC.....C.....D.....E....[F.....F....+H....>I.....J....pJ....\L....FN.....O.....O....DQ....QR.....S....{S.....T.....V.....V....'W....+X.....Y.....Y.....Y.....[....9\.....\

C:\Users\user\AppData\Roaming\GamePall\locales\te.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1199612
Entropy (8bit):	4.314031920337284
Encrypted:	false
SSDEEP:	12288:m/ai7McKNkCRWtgd49+agb0DQWp5Bi3p1Fm6OiTlC2pFg+NFqPZrOIoXAofQARG+:YNG35IMm4
MD5:	98714389748A98ECC536CD2F17859BDF
SHA1:	07761AA31588F30C2CED4A1E31FE99DDC43A5E8D
SHA-256:	8A81B1A5457407E49D6372677938E7A2D28DFCA69F555FEDC8A2C9C09C333A65
SHA-512:	38CC4F064BD874EEC9DBFAB4C2A83A487FBCD89CEFB40BE4213C42231BC48AF9255341C9D325EE059BC50EE533898C5FA22CD3B3927A8E045049DEF3C5DFB2C6
Malicious:	false
Preview:	........N$k.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t. ...v.5...w.B...y.H...z.W...\|.]...}.o.....w.....\|.......................................................................X...........J...........\|...............................................f.........................................~.............................Y.............................A.............................d.....X.........../.....k.....b...........5...............................................'.......................L.....u ....:!.....!.....!.....".....#....$....k$.....%.....&....6'.....'.....(.....)........._*.....+....P,.....,.....-....'...........m/...../.....0.....1...."2....f2.....3.....4....R5.....5.....6....G7.....7.....7.....8....I9.....9.....9....{:....0;.....;....)<.....=.....>.....?.....?.....@....bA.....A.....B....JC....(D.....D.....D....DF.....F.....G.....G.....I....@K....qL.....L....4N....EO.....O....pP.....Q.....R....?S.....S.....T....^U.....U.....V....`W....[X.....Y

C:\Users\user\AppData\Roaming\GamePall\locales\th.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	1008989
Entropy (8bit):	4.356501290091745
Encrypted:	false
SSDEEP:	12288:h4aFlPACsN9LyZYA2T6z1L/LLftDjsAnILwgv1V5UBGsL3fBj8BlzEdq3Ro9lGdg:KexAI+515I
MD5:	56F29DE3465795E781A52FCF736BBE08
SHA1:	EAA406E5ED938468760A29D18C8C3F16CF142472
SHA-256:	529C561747BF8B6206BE4F8BCF287A1D15E1B14A33113242DDAD5E035CA37BE6
SHA-512:	519B5B3CC7032B2AF856456EEC25019B3A6A7F2A6DB7A0318CF87C41E08C6F6BFA73E239939B0DA16972C1D357FF06177765D875E19742D23E99A95FD4AC5416
Malicious:	false
Preview:	........i#P.e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.0...t.9...v.N...w.[...y.a...z.p...\|.v...}.....................................................................................'.....{.......................^...........e...........f.................s...........I...........]...........P...........r.................{...........D.....]...........;...........$.................,.....}.....K...........v...........e...........r...........m.....................................................E.......................P.......................:.......................B.......................b.......................s.......................X.......................S..................!.....".....".....".....#....0$....\|$.....$....j%.....%....5&....l&.....'....z'.....'....!(....A).....)...............+.....,....H,....x,....M-.....-....6.....l.....k/...../....o0.....0.....1.....2....>3...._3.....4.....5....c6.....6.....7....n8.....8.....9.....9....f:.....:.....:.....;.....<....D=

C:\Users\user\AppData\Roaming\GamePall\locales\tr.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	515329
Entropy (8bit):	5.616482888977033
Encrypted:	false
SSDEEP:	6144:j7ECvtm4HeFQmOMquxFX50LZhRjCqQOdspXHG4lge+5vk/R+hi1h2vdFAMTwAK5A:PEgfHeWmrqUqCFHGz5vk/g
MD5:	46CA9EE922C3C175DE466066F40B29CE
SHA1:	5563E236A15CD9CC44AE859165DF1E4E722936C7
SHA-256:	BD8B1441FD2057F0B61512CC0AA23DFD2619560CF886B4D453FA7472E7153A3F
SHA-512:	45AA2D6896568751C2F986ABD281EA07CB731880DF8F28F2F0AEFD95736F41B1E005D8DFB6F0AEF0CED6CEF94154D34FD0DA2CB7F0B0C66D9C085F5C47F32605
Malicious:	false
Preview:	........c$V.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.%...s.6...t.?...v.T...w.a...y.g...z.v...\|.\|...}...........................................................................................)...........L.................+.......................e........... .....;.................7.....J.......................)......................................... .....B...........5.....x.................Z.......................Q.....{.................w.................Q.................!.......................'.......................&....................... ................."...../.................5.....F.................9.....F.................2.....>.................7.....D...........I.......................v.......................i.......................P.......................q.................-.....z.......................m.................,.............................*.................B................."...........(.....n.................N.....~.................l.......

C:\Users\user\AppData\Roaming\GamePall\locales\uk.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	876131
Entropy (8bit):	4.88404350774067
Encrypted:	false
SSDEEP:	12288:bLrZJnRzDcwCfnbz/T0hoaiJI/t58B3IjeAXmESIOujLNiXEqqbTE/z+4uL2uo9:DRaz65QE2
MD5:	1365ABDD1EFB44720EA3975E4A472530
SHA1:	8421FC4905C592EB1269C5D524AA46866D617D3C
SHA-256:	29AB0F7EE69FB7A1E1E54DD2A3746D2CFEAAA71AE5971EE30AA8E2E0F6556FA5
SHA-512:	2E806A9BEA864E689BBD1D78B800DFDBC6E4109320F9A4790E52010BFDEC20C7644655A6FE3BABDE0B84D9580208CB78EF1FA0DB3476F8676C17A13D130296C7
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.'...s.8...t.A...v.V...w.c...y.i...z.x...\|.~...}.....................................................................................1.....s.....W.......................r...........x...........m.....!.......................<.............................n...........,.................-...........\|.............................=.....y.....+...........%.....K...................................w.............................N...................................r.................O...........N.................^...........\...............................................h...............................................R.....m.....f.....6.............................W.....y...........O.....x...........K...........j...........z .....!.....!.....".....".....#....R#.....#....&$.....$.....$.....%.....%....s&.....&.... '.....(.....(....~).....).....*....Q+.....+.....,.....,....Z-.....-.....-....[............/....4/.....0.....0....$1

C:\Users\user\AppData\Roaming\GamePall\locales\ur.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	765853
Entropy (8bit):	5.17061834928747
Encrypted:	false
SSDEEP:	12288:0efUL84T5HD8P4WuD66yACLUj5A9DPEFYW3KYcQYriwadcJKwUxuvco/9NjjFpvj:0RLBw652W4
MD5:	3FED15E64BEAFBA75DE61B08A45AE106
SHA1:	E24953271D8C0254AD011D3A65B2C2FA57903681
SHA-256:	B6E250C3F4FBAC3AF5FB8BB1C61CACAD8685D7F2A97063DE23BC22E91B7F2E27
SHA-512:	3948D080135AFEB240815D43F7B5B8D407BA2830FF701D9B8343F2A72E610827EDAAB643444CDCEB86812ADFC9FB3FBA3AAD6DB7488843C2A04E92A3E63FE40D
Malicious:	false
Preview:	........1$..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....\|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.....\|.............................n.....................................................).....^.......................<...........G.................J.................9...........E.................~...........{...........\...........L.....k.......................,.................9.....e.....C.......................>...................................8.....Z...........C.................;.................-...........L.................N.................1...........-.....y.........................................s............................p........... .......................i...........).....J.......................L...........M ..... ..... ....Y!.....!....4"....Z"....,#.....#....&$....W$....'%.....%....^&.....&....f'.....(.....(.....(.....)....3..............]+.....+.....,....F,.....,....z-.....-

C:\Users\user\AppData\Roaming\GamePall\locales\vi.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	609259
Entropy (8bit):	5.796202390024141
Encrypted:	false
SSDEEP:	12288:BcQ6o+ccwJ2roEw/aBuAZgsHeW0xEEDOI9g/C5WS8jUmAnAiEwziMHzmwtKnE:BP6o+ccwJ2iafZgsHL0x755v8ImviEKv
MD5:	CD741C24AF7597E0DC11069D3AC324E0
SHA1:	2A883DFBCF48D5093D70D4B77BBFFFA521287334
SHA-256:	13E982DC4B2B1AEE093E96BA27E02258C2B815CBB062006A4396BB3A3E6A84B1
SHA-512:	6D27998E25B57FF0CE08C3590B69031038CBA390E68333A83514022B2C56B689AF8AD9715302824027864B5320852E9AB77D74E3B8A90DC66DF59F48CEB528C9
Malicious:	false
Preview:	.........#..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r....s.;...t.D...v.Y...w.f...y.l...z.{...\|.....}...........................................................................................;.......................-...........A.................[...........O.....u...........v.................6.......................+.......................}...........G.....y.....9...........K.....y.............................z...........?.....V...................................T.................X.......................r...................................9.....J...........H.......................}.................'.......................<.......................O.............................Z................._..................................)........... .....V.....v.......................j...........N.................3...................................O.....v................./.....C.......................@...........) ....^ ....w ..... ....J!....}!.....!..../".....".....#....8#

C:\Users\user\AppData\Roaming\GamePall\locales\zh-CN.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	441207
Entropy (8bit):	6.685712707138377
Encrypted:	false
SSDEEP:	6144:+oIY7NcgHG7dNzh9aG/7C5ccJL7kzDg5lbSNu6BoHHclS:pugQfznaJ5ccJLAg5BSNu6Bot
MD5:	99E6ACFB46923C4F8B29058E9EE6166B
SHA1:	AF06C42E5F3578ADBC4F0BD7262DC6775FDD351F
SHA-256:	9D8498875263B19552A982D1850F2F942FF44AF4E323BC5A3A67C34413994D95
SHA-512:	4FDF5186FC2FC68210C2BE91F5B821F0979CA67D6C9B8915C14E7A20D3CE2548EB2660D5F9F398CF6C585A5C0725FA34FD3670F416F7C8A4F009C729BCF02988
Malicious:	false
Preview:	.........#..e.T...h.\...i.d...j.g...k.v...l.}...m.....o.....p.....q.....r.....s.....t.....v.....w.....\|.....}...............................(.....-.....5.....<.....C.....E.....J.....S....._.....q.................v.................1......................./.......................:.......................>.............................c.......................D.....j................._.......................n.......................T.....}.................@.....o.................V.......................5.....O.....i................."...........x.......................U.......................].......................=.......................".....s.......................L.....u.................g.......................W.....w.................3.....X.....o...........&.....J.....\.................=.....].............................y.......................y...................................N.....`...........,.....d.....y...........).....O.....^.............................\|.......................x.

C:\Users\user\AppData\Roaming\GamePall\locales\zh-TW.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	439630
Entropy (8bit):	6.6906570508767995
Encrypted:	false
SSDEEP:	6144:jmdbGlobIxk24IkGE0Jxv2323uWn4hmv50Ynz21Hs0yn7zyjkbTE:jcbGl8IxEGtbn4hmv50YnzC4n7+7
MD5:	BB7C995F257B9125457381BB01856D72
SHA1:	21C55FF5CBC4F223C23D5A2FBCC9E051DB78A44C
SHA-256:	F2299E03E99B0E9A9CACE3B1C72E6C8C5FE089487CA1C82F2AAF4273B62E37A2
SHA-512:	5247C5DA6F00DF6241500524DDB162041A03649FA0AFCC11AD40E820814958768A2E11CE34E1250FDBF42B2459F8C06B00AE7442B537F0731A62C6724FC8D890
Malicious:	false
Preview:	.........#,.e.....h.....i.)...j.-...k.<...l.G...n.O...o.T...p.\...q.b...r.n...s.....t.....v.....w.....y.....z.....\|.....}...................................................................%.....4.....C...........3.....q.................+.....T.....`........... .....R.....d.................M.....b.................3.....?.............................g.......................[.......................S.......................;.......................*.......................@.......................F.............................D.....d.....p.................2.....A.............................q.......................T.......................<.............................i.......................f.......................A.....[.....o.................!.............................u.......................^.............................h.......................P.........................................H.......................Z.......................$.....e.....z.................1.....X.....j...........#.

C:\Users\user\AppData\Roaming\GamePall\log4net.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	275968
Entropy (8bit):	5.778490068583466
Encrypted:	false
SSDEEP:	3072:++EIoS8U9BGRl9bmXPbH79EfZHpMtTOnJDI3lk3ze3XjCVnm7sNzQn7G7k+Yr4zx:bx8CBGRlhmKHpyTmUVkDe3Xjknm7kCU
MD5:	7EA1429E71D83A1CCAA0942C4D7F1C41
SHA1:	4CE6ACF4D735354B98F416B3D94D89AF0611E563
SHA-256:	EDEC54DA1901E649588E8CB52B001AB2AEC76ED0430824457A904FCC0ABD4299
SHA-512:	91C90845A12A377B617140B67639CFA71A0648300336D5EDD422AFC362E65C6CCD3A4FF4936D4262B0EAF7BAE2B9624BCD3C7EEC79F7E7CA18ABE1EC62C4C869
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....L.X...........!.....,..........~K... ...`....... ..............................H.....@.................................$K..W....`...............................I............................................... ............... ..H............text....+... ...,.................. ..`.rsrc........`......................@..@.reloc...............4..............@..B................`K......H...........<x...............-..P .......................................i.)V.#c....e../.`...V....j>....?.LbrzKV.x.}...........[.f)..dD`..66.61[.z....W^....>F..r...#. ..g...T...P....Ss)ii.a.v.(0.....(1...o2...s....}.......0..7........{....-%~....r...p.{....r9..p(3...(.....(.......(4.............//........{...."..}......{........0..4..........%...(5....-.~....r?..p(....+...}.......,..(6............')........{......{...."..}.......{...."..}....*.0..........

C:\Users\user\AppData\Roaming\GamePall\log4net.xml

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1547797
Entropy (8bit):	4.370092880615517
Encrypted:	false
SSDEEP:	3072:d0SSirI7aLTIEpJDqdzpJ86pKmuzsxQsB7rDZy4TR05HrK1bEYF4hJrmchE3VEW2:dHRGGG9WHrKWgelJOoLJjxJha4
MD5:	32AB4E0A9A82245EE3B474EF811F558F
SHA1:	9F2C4C9EEB5720D765F2321ACD0FF9F8DD11E6A4
SHA-256:	9BBF4D15F8FB11F7D2C032BD920D2A33B2C2CB8EF62E7E023049AF6132F5D6C1
SHA-512:	A0574A170F69F9926C32BAF6119A16A381FEC9E881B304082859EE7CFF463570C78984EE14369C59CDB19E532B3ABF193D02B462F1B40D07214B6244150CD63F
Malicious:	false
Preview:	<?xml version="1.0"?>..<doc>.. <assembly>.. <name>log4net</name>.. </assembly>.. <members>.. <member name="T:log4net.Appender.AdoNetAppender">.. <summary>.. Appender that logs to a database... </summary>.. <remarks>.. <para>.. <see cref="T:log4net.Appender.AdoNetAppender"/> appends logging events to a table within a.. database. The appender can be configured to specify the connection .. string by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionString"/> property. .. The connection type (provider) can be specified by setting the <see cref="P:log4net.Appender.AdoNetAppender.ConnectionType"/>.. property. For more information on database connection strings for.. your specific database see <a href="http://www.connectionstrings.com/">http://www.connectionstrings.com/</a>... </para>.. <para>.. Record

C:\Users\user\AppData\Roaming\GamePall\natives_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	342741
Entropy (8bit):	5.496697631795104
Encrypted:	false
SSDEEP:	3072:zRAHowF2N4C56MQIi6dD3nhvAwlFUPcm4s9r4V7d+SSo3:zRAHowF2N4C56MQD6dD3nhnlFUPcm4F
MD5:	A58DB728B50E6B82CBDCAA0DB61D36B1
SHA1:	7CD76526CB29A0FF5350A2B52D48D1886360458B
SHA-256:	BA2F2AC6AE9BC67399728F25772A0EB3E840695395CC747ADF4B2F8B5D6D9A46
SHA-512:	0DB9AFBDADA44364521D89BAB6055458125F4F3C8C1B09048EAFA4055A194231CCFFD82FCDADA9360AB2B19F472B893330EBFCB027391E7A0C2B1100FC51E673
Malicious:	false
Preview:	..mirrors....(function(a,b){."use strict";.var c=a.Array;.var d=a.isNaN;.var e=a.JSON.stringify;.var f;.var g;.var h=b.ImportNow("promise_state_symbol");.var i=b.ImportNow("promise_result_symbol");.var j;.var k;.b.Import(function(l){.f=l.MapEntries;.g=l.MapIteratorNext;.j=l.SetIteratorNext;.k=l.SetValues;.});.var m={.UNDEFINED_TYPE:'undefined',.NULL_TYPE:'null',.BOOLEAN_TYPE:'boolean',.NUMBER_TYPE:'number',.STRING_TYPE:'string',.SYMBOL_TYPE:'symbol',.OBJECT_TYPE:'object',.FUNCTION_TYPE:'function',.REGEXP_TYPE:'regexp',.ERROR_TYPE:'error',.PROPERTY_TYPE:'property',.INTERNAL_PROPERTY_TYPE:'internalProperty',.FRAME_TYPE:'frame',.SCRIPT_TYPE:'script',.CONTEXT_TYPE:'context',.SCOPE_TYPE:'scope',.PROMISE_TYPE:'promise',.MAP_TYPE:'map',.SET_TYPE:'set',.ITERATOR_TYPE:'iterator',.GENERATOR_TYPE:'generator',.}.var n=0;.var o=-1;.var p=[];.var q=true;.function MirrorCacheIsEmpty(){.return n==0&&p.length==0;.}.function ToggleMirrorCache(r){.q=r;.ClearMirrorCache();.}.function ClearMirrorCache(r){.

C:\Users\user\AppData\Roaming\GamePall\resources.pak

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	8226870
Entropy (8bit):	7.996842728494533
Encrypted:	true
SSDEEP:	196608:BRbyvUoyiZocNqBbwMIdCM6whz/xpkr92nEVvXJAqkXJ:f2v5xN0wPB6WxpkrS8N4
MD5:	F7EC58AEA756F3FD8A055AC582103A78
SHA1:	086B63691F5E5375A537E99E062345F56512A22C
SHA-256:	517418184EA974C33FFE67B03732D19B1234DCB9E5C1C2E9E94ED41B3BC1D064
SHA-512:	C620C6E16BBCEE9BC607E6CA75D602C756276AC69E5F3761D82DE7728164133656A71A69043EB1A86CE3051FDE4327A47EFD41D1FF47C8385699CA67C423AD7B
Malicious:	false
Preview:	............f.6:..{..D..\|..G..~. K.....]....._....=.....c...........9.....B.............................F.....K/.....2....54....r5.....6.....?.....@....jB.....C....hD.....E.....H....nj.....k.....r....@~...."..........W.....................;..../;'...2;P...7;....8;....C;....D;U...E;....F;....G;A,..H;.;..I;gK..J;.Z..K;.h..L;.}..M;y...N;{...O;z...P;....Q;8...R;....S;....T;C'..U;.=..V;.W..W;.m..X;....Y;....Z;D...[;....\;....];.....<.....<x....<.....<-....<\....<.....<.....<.....<.....<*(...< /...<+3...<.3..I=.3..J=.7..K=.9..R= >..S=.G..T=}V..[=;w..\=.x..]=.}..^=R..._=....`=....a=....b=....c=....e=:...f=.....=....=.....=....=`....=p....=.....=.....=.....=.....=.....=K....=.....=t....=.....=.....=.....=\....=Z....=.....=T....=[....=x....=.....=.....=D....=.....=.....=.....=l....=F....=.'...=j)...>.+...>l,...>_0...>.2...>.6...>.8..N>.\..O>~^..P>._..Q>%d..R>.k..S>.l..T>Tn..U>.p..b>.u..c>/y..d>.\|..B@....C@....D@o...E@....F@W...L@Z...M@(...N@...O@....D.....D ....D ....D;....D.....D....D..

C:\Users\user\AppData\Roaming\GamePall\snapshot_blob.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	276319
Entropy (8bit):	4.242318669799302
Encrypted:	false
SSDEEP:	3072:pQ9Nwsu4PnhuhbXeu9wbO2/D9yytfPzMfS6vNZq:pQoJBhbBRKDGH4
MD5:	8234983533FA47D2A1D7710FF8274299
SHA1:	E4C5793B6FE6A6C6C9D8E3921B3BC341AE3448D8
SHA-256:	F95553D8066144CBB8A05EED1735C94A4B97A2E44E49F624C2302990A13017C9
SHA-512:	1E7E201B0FF9AFA7821B5FFD0A36548A49CD4DBBABA5858E13DA35058670A5053723DD3544B2FD85C619F2B8FC9E5DB48DF977BB293E7BA7DE6F22CC8DAB28CA
Malicious:	false
Preview:	.........X./j1N.11.8.172.9.......................................................@...y...........@..`....`....`....`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\start.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	29
Entropy (8bit):	4.159199529386524
Encrypted:	false
SSDEEP:	3:LjnXgnKsH:fQKm
MD5:	FF2077D414778DB1E7DC844E9AE55347
SHA1:	6258BC2F81DF20A2EA2539598313684DF10ED693
SHA-256:	55B535EBD9ABE00F702B8362D6B4A4A18F27F030887E907F8161CF79E3B182E0
SHA-512:	DAD4A28357090B3B782AB47B3508A33B8F0A1797818D743620239E97B77779E6F5E40CB0942361DDF97834A49F27A529B71A26E3EC08820A88179EC548A64F94
Malicious:	false
Preview:	start GamePall.exe 8KuQuyEucb

C:\Users\user\AppData\Roaming\GamePall\swiftshader\Xilium.CefGlue.pdb

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	MSVC program database ver 7.00, 512*4023 bytes
Category:	dropped
Size (bytes):	2059776
Entropy (8bit):	4.067542396670122
Encrypted:	false
SSDEEP:	12288:zGdv6ZOCD1JEBSMPp35Q6glA8uOcbxfjUclEO+KEAt:zQCACD1Jr+35Q6LOcbxfAKEnc
MD5:	70F9EAEA8A2A604E59F72EDE66F83AB4
SHA1:	0AB9EA1BFFDFF471EC22AB289C7FBC5E0CDF48BF
SHA-256:	38A07BA75CC2BBDF715CA87D380A4E5A0DCFAF9C30C5ECD30F6107871D51825B
SHA-512:	47DE4DAD93385A4907FADE307040FE026ED66989C0C9915AFC96CB2BC93DE5E106DC1274E4AD2382021C758C60FEDE06D68998CF3591E23E2951778CE09D6D4C
Malicious:	false
Preview:	Microsoft C/C++ MSF 7.00...DS................J..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libEGL.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	346624
Entropy (8bit):	6.54104466243173
Encrypted:	false
SSDEEP:	6144:s3Yqz++E93Is4CtuvK6/AWdCVJ/gc6+XpxJbi+UKg1oxuA8uLVHhlu7D9k0P92XE:soC++G4sO+J/gc6+Xpzi+UKpquzlu7DW
MD5:	7A53AD3E5D2E65C982450E7B7453DE8A
SHA1:	99F27E54F1F61207C02110CAC476405557A8AD54
SHA-256:	24FDDD6A367792A9D86D9060FC9AA459B5FB0F67804CB7D139A100D86BBDAFF8
SHA-512:	2B5E5DB46FDC787CB46CDAEBFFC01586E248FBB864677B27AF03CDC33E956DEF51B3F836597E7092C4175CF605C44728C6F96B74BB2C9870E9715D4AF4C531A1
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.........T............................................................@A....................................P....p...........................3..4.......................8........G...............................................text............................... ..`.rdata..............................@..@.data....4..........................@....00cfg.......@......................@..@.tls.........P......................@....voltbl......`...........................rsrc........p......................@..@.reloc...3.......4..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\swiftshader\libGLESv2.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2445312
Entropy (8bit):	6.750207745422387
Encrypted:	false
SSDEEP:	49152:XDEYOEFSOv490qncuR2zJirE61O17bp2WpMKiK4sFtvRJEIEhA69d+LFr1jWNHFi:XLFl+HFKD+biGMWRgWPWck2SiZbC
MD5:	334C3157E63A34B22CCE25A44A04835F
SHA1:	C6B05BD55BE9FED3B0C5077C5649E2A41C10DC08
SHA-256:	3E307570B574469EC8BCF1CE6D5291DF8D627CA3812F05AACFEBBD3F00B17F89
SHA-512:	11F538ADD05515861891892EBB90163B6540B72FEB380D64B4A0AA56C6415E3B71374557BF50D0B936712B1006F2B94D59BEBFBF18CBF93BB883D9055CAAEEE9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......_.........."!.....4 .................................................p*...........@A..........................#.. ....$.d....P)......................`).......#.......................#......."...............$.P............................text.../2 ......4 ................. ..`.rdata..\....P ......8 .............@..@.data...L....@$...... $.............@....00cfg....... )......>$.............@..@.tls.........0)......@$.............@....voltbl.M....@)......B$..................rsrc........P)......D$.............@..@.reloc.......`)......H$.............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\v8_context_snapshot.bin

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	data
Category:	dropped
Size (bytes):	631017
Entropy (8bit):	5.144793130466209
Encrypted:	false
SSDEEP:	6144:tQ8NIJFP47mT2reYaonhIZijJN0MhbA0u:DIJjS8mJNBu
MD5:	0794DF29DF8DFC3ECE5C443F864F5AEB
SHA1:	BFD4A9A34BEB9751BC4203FB9A9172F1F05E5B16
SHA-256:	3EE2237E9B14871165B051CCF892C8375E45B5F12841E02F4B9D37F5D5A03283
SHA-512:	0D34E36F7455B977F086F04840FBA679284A619A7164A56B5C7FC2ADCB23A231B67A62101540EB07CF5C8192790266B08D2CC232D291621C331FE77C1F5E52C0
Malicious:	false
Preview:	..........d..<..11.8.172.9......................................................@...]!...S..y...-[..........`....`....`T...`b...`....`............B..............b........."..............B..............b...(Jb...)L.....@..F^.1..5.`.....(Jb...-P.....@..F^..`.....H...IDa........Db............D`.....-.D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4400640
Entropy (8bit):	6.667314807988382
Encrypted:	false
SSDEEP:	98304:DrQcuW1iHUXeBwYN/jmlqjLPh34n3E0xnHTCOTr9:DrQcu2iH5Bv249o3E0x
MD5:	7F913E31D00082338F073EF60D67B335
SHA1:	AC831B45F2A32E23BA9046044508E47E04CDA3A4
SHA-256:	B60E9818C4EA9396D0D2D2A4AC79C7DC40D0DFF6BB8BC734D0AB14ADC30FBF30
SHA-512:	E1AC79C775CF9137283CD2C1AE1A45EC597E0351CDB9C11D483E2E1F8B00CC2BBC5807A50DED13A3A5E76F06C1A565EFF1233F4EC727B0C5F7AA3BEAEA906750
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....$5.........P.-......................................PD...........@A........................8=?.~....\?.P.... B......................0B.X.....?.....................H.?......@5.............._?..............................text...T#5......$5................. ..`.rdata...a...@5..b...(5.............@..@.data...@N....?..x....?.............@....00cfg........B.......A.............@..@.tls....5.....B.......A.............@....rsrc........ B.......A.............@..@.reloc..X....0B.......A.............@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\vk_swiftshader_icd.json

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	106
Entropy (8bit):	4.724752649036734
Encrypted:	false
SSDEEP:	3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
MD5:	8642DD3A87E2DE6E991FAE08458E302B
SHA1:	9C06735C31CEC00600FD763A92F8112D085BD12A
SHA-256:	32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
SHA-512:	F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
Malicious:	false
Preview:	{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

C:\Users\user\AppData\Roaming\GamePall\vulkan-1.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	826368
Entropy (8bit):	6.78646032943732
Encrypted:	false
SSDEEP:	24576:XWygS4iaktBPIUt34P6Z5WoDYsHY6g3P0zAk7QsZD:xnRPIUtc6Z5WoDYsHY6g3P0zAk7Q+D
MD5:	A031EB19C61942A26EF74500AD4B42DF
SHA1:	FDC6EA473234F153639E963E8EFB8D028DA1BE20
SHA-256:	207706A3A3FAA8500F88CB034B26413074EFC67221A07C5F70558F3C40985A91
SHA-512:	80F843E47FC2B41B17EF6EA1BB2BB04119B2417311599EC52120D9F9DF316B4D7B1DAF97EE5CDF2AE78CDB9475E5C65255A7F2AB2A9231804F6A82C83303FD19
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L.....e.........."!.....\|..........@.....................................................@A...........................<!..$...P....p..............................l..............................................P................................text....z.......\|.................. ..`.rdata..tr.......t..................@..@.data....7..........................@....00cfg.......P......................@..@.tls.........`......................@....rsrc........p......................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\GamePall\widevinecdmadapter.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\setup.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.566524833521835
Encrypted:	false
SSDEEP:	3072:IIgyHan0tiWcminIS/Q7yLH3dvcu20qjSoylXGjbAg0Fujurg7VBaB:ILyHa01MLHFuZX3bAOfSB
MD5:	6D7FD214164C858BBCF4AA050C114E8C
SHA1:	B8868DA6BB9A79EE7C9901A9BFAC580D5BAFCC96
SHA-256:	3F58FB22BD1A1159C351D125BEE122A16BB97BABB5FCA67FDBD9AAAED3B302E6
SHA-512:	0F8F2523C3A616AC7C72A1239B7E353F6A684FF75DA79D1CAF9B98A47FF6FE06329165825704C67C04E92073BA2C17D0FF339C57731DDF0F1489C2E97D1D0A14
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............^...^...^..._...^..._q..^..._..^..._..^..._..^..._..^k.._...^..._...^...^...^k.._...^k.._...^n..^...^k.._...^Rich...^........................PE..L...Ua.X.........."!.........(......c........0............................................@.................................x...<....@.......................P..T"......8...............................@............0..0............................text............................... ..`.rdata..`....0....... ..............@..@.data...............................@....gfids.......0......................@..@.rsrc........@......................@..@.reloc..T"...P...$..................@..B........................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.130028698415853
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
File size:	76'495 bytes
MD5:	e9521ec55c41641cc645a0223b1e9ac1
SHA1:	ef63f2a2d918925b8b44ec9a9b848e919cc6a22a
SHA256:	2c49cd770976c10d5f65114ce71ce14817e3ffaa74cf3bed2fa24f588b13ebf2
SHA512:	2b47b987176e633307fab15343879e0befa461af5e25f15d58eba3ebee9022bfd3bdf9b51ae970509ab6efc7e1dd09917acbef88f5d10104e28b93373187a780
SSDEEP:	1536:6FiFMVzRtVXmqpScuHEMVSco4Romu/T/juizvTbdq2f+:6Fi6z/VXzAf3oco454juKf8W+
TLSH:	2A73DF253390C4B3DB7607B05D7A57A3ABF68D1110A4A3472790EE6FBD772D2890F582
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1)..PG..PG..PG._...PG..PF.IPG._...PG..sw..PG..VA..PG.Rich.PG.........PE..L.....Oa.................d...........4............@

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x4034cc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x614F9B02 [Sat Sep 25 21:56:18 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f10e4da994053bf80c20cee985b32e29

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 00000220h
push esi
push edi
xor edi, edi
push 00008001h
mov dword ptr [ebp-10h], edi
mov dword ptr [ebp-04h], 0040A130h
mov dword ptr [ebp-08h], edi
mov byte ptr [ebp-0Ch], 00000020h
call dword ptr [004080B0h]
mov esi, dword ptr [004080C0h]
lea eax, dword ptr [ebp-000000C0h]
push eax
mov dword ptr [ebp-000000ACh], edi
mov dword ptr [ebp-2Ch], edi
mov dword ptr [ebp-28h], edi
mov dword ptr [ebp-000000C0h], 0000009Ch
call esi
test eax, eax
jne 00007F8345088101h
lea eax, dword ptr [ebp-000000C0h]
mov dword ptr [ebp-000000C0h], 00000094h
push eax
call esi
cmp dword ptr [ebp-000000B0h], 02h
jne 00007F83450880ECh
movsx cx, byte ptr [ebp-0000009Fh]
mov al, byte ptr [ebp-000000ACh]
sub ecx, 30h
sub al, 53h
mov byte ptr [ebp-26h], 00000004h
neg al
sbb eax, eax
not eax
and eax, ecx
mov word ptr [ebp-2Ch], ax
cmp dword ptr [ebp-000000B0h], 02h
jnc 00007F83450880E4h
and byte ptr [ebp-26h], 00000000h
cmp byte ptr [ebp-000000ABh], 00000041h
jl 00007F83450880D3h
movsx ax, byte ptr [ebp-000000ABh]
sub eax, 40h
mov word ptr [ebp-2Ch], ax
jmp 00007F83450880C6h
mov word ptr [ebp-2Ch], di
cmp dword ptr [ebp-000000BCh], 0Ah
jnc 00007F83450880CAh
and word ptr [ebp+00000000h], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8438	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x4108	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x29c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x639f	0x6400	7224e998fe56f3bd47d63fbbb07b7c8a	False	0.6683203125	data	6.446278846973847	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1276	0x1400	f7ab432379f1255f04a3e990ba282ef1	False	0.4333984375	data	5.054263249154582	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1a858	0x600	8e1e6b6bb7da1113950a0aab31a168c0	False	0.4427083333333333	data	4.079691703439067	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x25000	0x11000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x36000	0x4108	0x4200	04ed5bc7191f2908fa190137579bdcbf	False	0.626953125	data	6.006157417687487	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x362b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x37358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x38200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x38aa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x39010	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x39478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x39760	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x39888	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x39a90	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x39b88	0xee	data	English	United States	0.6302521008403361
RT_GROUP_ICON	0x39c78	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x39ce0	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExA, RegEnumKeyA, RegQueryValueExA, RegSetValueExA, RegCloseKey, RegDeleteValueA, RegDeleteKeyA, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, SetFileSecurityA, RegOpenKeyExA, RegEnumValueA
SHELL32.dll	SHGetFileInfoA, SHFileOperationA, SHGetPathFromIDListA, ShellExecuteExA, SHGetSpecialFolderLocation, SHBrowseForFolderA
ole32.dll	IIDFromString, OleInitialize, OleUninitialize, CoCreateInstance, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	SetClipboardData, CharPrevA, CallWindowProcA, PeekMessageA, DispatchMessageA, MessageBoxIndirectA, GetDlgItemTextA, SetDlgItemTextA, GetSystemMetrics, CreatePopupMenu, AppendMenuA, TrackPopupMenu, FillRect, EmptyClipboard, LoadCursorA, GetMessagePos, CheckDlgButton, SetWindowPos, SetCursor, GetSysColor, SetClassLongA, GetWindowLongA, IsWindowEnabled, GetWindowRect, GetSystemMenu, EnableMenuItem, RegisterClassA, ScreenToClient, EndDialog, GetClassInfoA, SystemParametersInfoA, CreateWindowExA, ExitWindowsEx, DialogBoxParamA, CharNextA, SetTimer, DestroyWindow, CreateDialogParamA, SetForegroundWindow, SetWindowTextA, PostQuitMessage, SendMessageTimeoutA, ShowWindow, wsprintfA, GetDlgItem, FindWindowExA, IsWindow, GetDC, SetWindowLongA, LoadImageA, InvalidateRect, ReleaseDC, EnableWindow, BeginPaint, SendMessageA, DefWindowProcA, DrawTextA, GetClientRect, EndPaint, IsWindowVisible, CloseClipboard, OpenClipboard
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectA, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetProcAddress, GetSystemDirectoryA, WideCharToMultiByte, MoveFileExA, GetTempFileNameA, RemoveDirectoryA, WriteFile, CreateDirectoryA, GetLastError, CreateProcessA, GlobalLock, GlobalUnlock, CreateThread, lstrcpynA, SetErrorMode, GetDiskFreeSpaceA, lstrlenA, GetCommandLineA, GetVersionExA, GetWindowsDirectoryA, SetEnvironmentVariableA, GetTempPathA, CopyFileA, GetCurrentProcess, ExitProcess, GetModuleFileNameA, GetFileSize, ReadFile, GetTickCount, Sleep, CreateFileA, GetFileAttributesA, SetCurrentDirectoryA, SetFileAttributesA, GetFullPathNameA, GetShortPathNameA, MoveFileA, CompareFileTime, SetFileTime, SearchPathA, lstrcmpiA, lstrcmpA, CloseHandle, GlobalFree, GlobalAlloc, ExpandEnvironmentStringsA, LoadLibraryExA, FreeLibrary, lstrcpyA, lstrcatA, FindClose, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, SetFilePointer, GetModuleHandleA, FindNextFileA, FindFirstFileA, DeleteFileA, MulDiv

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	1
Start time:	02:30:43
Start date:	03/09/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe"
Imagebase:	0x400000
File size:	76'495 bytes
MD5 hash:	E9521EC55C41641CC645A0223B1E9AC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	02:32:00
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Local\Temp\setup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\setup.exe"
Imagebase:	0x400000
File size:	107'107'091 bytes
MD5 hash:	2B4BA70B5C6115ADD73FDEF28AAEAA8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 8%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:32:27
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Imagebase:	0xa00000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 5%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=gpu-process --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3100 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:2
Imagebase:	0x830000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3860 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xdd0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --lang=en-US --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --mojo-platform-channel-handle=3964 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:8
Imagebase:	0xce0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --first-renderer-process --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866609478 --mojo-platform-channel-handle=4028 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x560000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe" --type=renderer --log-severity=disable --user-agent="Mozilla/5.0 (iPhone; CPU iPhone OS 17_5 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/128.0.6613.92 Mobile/15E148 Safari/604.1" --user-data-dir="C:\Users\user\AppData\Local\CEF\User Data" --no-sandbox --log-file="C:\Users\user\AppData\Roaming\GamePall\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --time-ticks-at-unix-epoch=-1725338884646186 --launch-time-ticks=6866677761 --mojo-platform-channel-handle=4140 --field-trial-handle=3104,i,8519906087661824235,16153509177742921822,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI /prefetch:1
Imagebase:	0x6f0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	02:32:31
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x960000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	02:32:32
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xfe0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	02:32:32
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xe40000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	02:32:34
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xf0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	02:32:34
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x360000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	19
Start time:	02:32:35
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xc40000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	20
Start time:	02:32:36
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x8e0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	21
Start time:	02:32:36
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xb60000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	02:32:37
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x3d0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	02:32:37
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x580000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	02:32:37
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xca0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	02:32:38
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xfa0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	02:32:39
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xed0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	27
Start time:	02:32:40
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x130000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	02:32:42
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x470000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	02:32:42
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xb60000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	30
Start time:	02:32:42
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	31
Start time:	02:32:43
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xfb0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	02:32:44
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	02:32:44
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x8e0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	02:32:44
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x3b0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	35
Start time:	02:32:44
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xb90000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	02:32:44
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x660000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	02:32:45
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x690000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	02:32:45
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0xa60000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	02:32:45
Start date:	03/09/2024
Path:	C:\Users\user\AppData\Roaming\GamePall\GamePall.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\GamePall\GamePall.exe"
Imagebase:	0x1f0000
File size:	187'392 bytes
MD5 hash:	46A3A9D4CA0EBE2BC40FA28BBFCD7200
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 0113D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a034d21d483cbab4e0f34036322c71012bed74abd7f89ee3d09718f5f5fe80f6
Instruction ID: e774b7c599eaee65b3392e58aad6da9eef5150ba482c95d03a9e04b440a0b5f2
Opcode Fuzzy Hash: a034d21d483cbab4e0f34036322c71012bed74abd7f89ee3d09718f5f5fe80f6
Instruction Fuzzy Hash: 8B213472104300DFDF19CF58E9C0B26FBA5FBC8B60F60C569D9490B24AC37AD446CA62

Function 0113E700 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7dd200e324d580990cb2b5f843f1620688a2dd7dc2b36efa9bc2fdddf5dce5b
Instruction ID: c983df44c1823fc1609ba2e4ab630672216bf145ad49c39bf6ee9e61f3140329
Opcode Fuzzy Hash: f7dd200e324d580990cb2b5f843f1620688a2dd7dc2b36efa9bc2fdddf5dce5b
Instruction Fuzzy Hash: ED210375504704DFDB0ACF18D9C0B26BBA5EBC8314F20C56DD9094B24AC336D846CAA2

Function 0113D1CC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617acf13b6aaad413424624b143fe57817ca07c012a7d009b30d467d042aad39
Instruction ID: d8200bd9404d1cae1f02e6b4e8f9b229d4c2b35b20abf789c7c853319c778a0a
Opcode Fuzzy Hash: 617acf13b6aaad413424624b143fe57817ca07c012a7d009b30d467d042aad39
Instruction Fuzzy Hash: 6D2125B5504304DFDF09DF54E580B16BFA5FBC8724F60C56DE8094B24AC376D846CA62

Function 0113E3B8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad853a6dda1a4c04409c3481207b5731278fa65863e4da705bb92292dc30a054
Instruction ID: d7b33371386331f268bfb908c09090e34ae7b85e890251fbc4d861e4dccb53f0
Opcode Fuzzy Hash: ad853a6dda1a4c04409c3481207b5731278fa65863e4da705bb92292dc30a054
Instruction Fuzzy Hash: 0F2123B1605340DFDB08DF18D6C4B26BFA5FBC8714F20C56DD94A8B246C336D806CA62

Function 0113FEFC Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5713860d62115fd1036630c30d0ebb9eb5a751d29c54907800e9668f549f77fb
Instruction ID: 09260bc2ddc7e491c51509d733811574112ba93a1dde6dfde01dc0a0374604f2
Opcode Fuzzy Hash: 5713860d62115fd1036630c30d0ebb9eb5a751d29c54907800e9668f549f77fb
Instruction Fuzzy Hash: F321F276904245DFDB08DB18D580B26BBA9EBC9714F20C56DED094B24AC336D806CAA3

Function 0113F828 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb3a3e22f8c36bfcb8a3064b1cad9e37ef4a5d1f294b8d0095f6e4b9a0fce609
Instruction ID: 2045c0d7291758d759da7c7579c6e5911754357b1212905128043109cd4bc395
Opcode Fuzzy Hash: fb3a3e22f8c36bfcb8a3064b1cad9e37ef4a5d1f294b8d0095f6e4b9a0fce609
Instruction Fuzzy Hash: EC21F3B1A04245DFDB1CDF28D5C0B26BBA5EBC4714F2085ADD94A4B296C33AD847C663

Function 0113EE68 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fbcb9f680a8f9781ca03d3e7cc990daeaf2b150b6dd7a7afc585aa6033b1b8c
Instruction ID: 37c65a017f7744d46345e3796bb8490140ff51f2fa0dd5cad2ed5ce8233225f5
Opcode Fuzzy Hash: 1fbcb9f680a8f9781ca03d3e7cc990daeaf2b150b6dd7a7afc585aa6033b1b8c
Instruction Fuzzy Hash: B52135B1604344DFDB08DF18D5C0B26BFA5EBC8714F20C67CD90A4B246C37AD846CA62

Function 0113DF98 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1779b7078f387e4d72f9ff1c64dba310d63efa063f26bb29fb923abd52686a7e
Instruction ID: af1c59d96b475e6f2dfb16f7e3c3f71ce5b6bd00186e4f38a6e945963a06abee
Opcode Fuzzy Hash: 1779b7078f387e4d72f9ff1c64dba310d63efa063f26bb29fb923abd52686a7e
Instruction Fuzzy Hash: FB21F3B1604344DFDB18DF28D5C0B26FBA5EBC4714F20856DD90A4B28AC33AD846CA62

Function 0113F688 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51bc74767ca036f54cd5ebe1a3677f6d68a9de7a4d3d5e00d998a4d5aca6311
Instruction ID: 343660086c98225481de0e3c484e1c03a26b83a954b3628151306c000cfdc44c
Opcode Fuzzy Hash: b51bc74767ca036f54cd5ebe1a3677f6d68a9de7a4d3d5e00d998a4d5aca6311
Instruction Fuzzy Hash: C32135B5A04641DFDB19DF28D5C0B26BBA5EBC8714F20C56CD90A8B256C33AD847CA63

Function 0113F5B8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d805429550da882e080d4bf6f1e0b64bbc513e630aa47d4eca5904b4b09301
Instruction ID: d95208afb409500ed148a23f7a3c24fbe099e751b72ba270458197f2a4511aea
Opcode Fuzzy Hash: 78d805429550da882e080d4bf6f1e0b64bbc513e630aa47d4eca5904b4b09301
Instruction Fuzzy Hash: 6C21F6F5904241DFD708DF28D5C4B26BBA5EBC4714F20856DD90A4B2A6D33AD847C663

Function 0113F8F8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d64be32b57c6fa7e3452008bdd45a303f27c2bd0040da408a1f25ed3cfdd2713
Instruction ID: b142737132da8e2f72f23fe0d20d015edb66965da0248b7515defdd3b8b2fd37
Opcode Fuzzy Hash: d64be32b57c6fa7e3452008bdd45a303f27c2bd0040da408a1f25ed3cfdd2713
Instruction Fuzzy Hash: A221D4B1904345EFD708DB18D580B26BBA5EBC4614F20856DE94A4B256E33AD847C7A3

Function 0113E7E8 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72239da1e0b0505c13988f4040d0063b113daadddf84b3daa181c2f336b477d
Instruction ID: 8ce76c061e7433df6caf89074b364804b12cd7ecae320e4bf576eb1fb4c727e3
Opcode Fuzzy Hash: c72239da1e0b0505c13988f4040d0063b113daadddf84b3daa181c2f336b477d
Instruction Fuzzy Hash: A72123B1A05344DFD708DF18D5C4B26BBA4EBC4314F20C6ADD90A4B246C33AD846CA62

Function 0113D003 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405f2634aaf3023f3ff447b2e0aeecf983fe1289965cfbc4172b9feb93ab7a47
Instruction ID: 3f8e535d26759da4e71b3f5f248211deae1fa118b2ba02abdefa0a0f1ee90c6e
Opcode Fuzzy Hash: 405f2634aaf3023f3ff447b2e0aeecf983fe1289965cfbc4172b9feb93ab7a47
Instruction Fuzzy Hash: 74219F755093C08FDB17CF24D990715BF71EB86610F29C1EAD8888F697C33A980ACB62

Function 0113D1C7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
Instruction ID: 74c5066fb946fa006d224e9d4f7315c67dbce6ad0f786988096b444b5aa01b52
Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
Instruction Fuzzy Hash: D011DDB5904284DFDB06CF54E5C0B15BFB1FB88324F24C6A9D8094B25BC33AD40ACB62

Function 0113E6FB Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
Instruction ID: 7bac0c5d6f90971f1181fa96f47c2a115cc080a1f6e27e670570e690a57fdfd9
Opcode Fuzzy Hash: 2ccfe305154e95a536d18b49939e535c9c69fd109e9eb5688aea898868e671a0
Instruction Fuzzy Hash: 6611BB7A504784CFDB06CF14D5C0B15BBA2FB84314F24C6AAD8494B79AC33AD40ACBA1

Function 0113E3B3 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c4a4e4bc7d81947f08c6621edd39f4970166bd47416ad1fff7e27dfd42937b
Instruction ID: 7e79685313dd1ba0c7109f62b41ad04107ebfd157325dca899b9121ea2dc5eaa
Opcode Fuzzy Hash: 20c4a4e4bc7d81947f08c6621edd39f4970166bd47416ad1fff7e27dfd42937b
Instruction Fuzzy Hash: 8211BC75505380CFDB0ACF18D6C4B15BFA1FB88214F24C6ADD8498B696C33AD80ACB92

Function 0113FEF7 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c4a4e4bc7d81947f08c6621edd39f4970166bd47416ad1fff7e27dfd42937b
Instruction ID: 85e8b0b0b59c427c1719a1d1cdf7f3c9e3b55ffb44bc478b293febd15567dbe7
Opcode Fuzzy Hash: 20c4a4e4bc7d81947f08c6621edd39f4970166bd47416ad1fff7e27dfd42937b
Instruction Fuzzy Hash: 5C119D76904284CFDB06CF14D584B15BFA1FB85314F24C6ADD8494B656C33AD80ACB92

Function 0113F823 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction ID: 6e9b5668aaa5bfc5dd6412e2a871acf500b476dff364f25d23b4bc96e966d732
Opcode Fuzzy Hash: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction Fuzzy Hash: 2D118F75904684CFDB19DF18D5C4B15BBA1FB84314F24C6ADC8494B656C33A944BCB92

Function 0113EE63 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction ID: 85e65292715bbb7ac78da7fe004db6a1251eb4286430e992552dc3119f1a5b2c
Opcode Fuzzy Hash: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction Fuzzy Hash: 9011CEB5504384CFDB1ADF18D5C4B15BFA1FB84314F24C6ADD8494B656C33AD84ACB92

Function 0113F683 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction ID: 08dcd65915c36846a52a83cb292e822f40ee6609d67a7b326c74ec65295dff6f
Opcode Fuzzy Hash: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction Fuzzy Hash: DD119179904684CFDB16DF28D5C4B15BBB1FB84314F24C6ADC8498B656C33AD44BCB52

Function 0113F5B3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction ID: 8ffdb469824437d57a362b5e0f4cc31b684d44139e1ff2585c7975f2a9e55b4f
Opcode Fuzzy Hash: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction Fuzzy Hash: 0011C1B5904680CFDB05DF24D5C4B15BBA1FB84314F24C6ADC8494B666C33AD44BCB52

Function 0113F8F3 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3659262212.000000000113D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0113D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_113d000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction ID: 3b639a79d7577817a395b0f757a272a1f4fece273df334ca7c13163e06a7617b
Opcode Fuzzy Hash: 8d1c52dc45a38f9b83cbbabb2e91bfb8e4dbf08f4ce62c4e4c1e7387a46ea89e
Instruction Fuzzy Hash: 8111C1B5904284DFDB05CF14D5C4B15BBA1FB84314F24C6ADD8494B756D33A984BCB92

Analysis Process: GamePall.exePID: 776, Parent PID: 3796COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	26.1%
Total number of Nodes:	1100
Total number of Limit Nodes:	13

Executed Functions

Function 6088DC00 Relevance: 44.6, APIs: 2, Strings: 23, Instructions: 898COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6088DD72
_strlen.LIBCMT ref: 6088DEB9

Strings

__s2 < __s1 || __s2 >= __s1+__n, xrefs: 6088E9CA
__len == 0 || __s != nullptr, xrefs: 6088EABB
..\..\third_party\libc++\src\include\string_view, xrefs: 6088EAAF
[CrashKeys], xrefs: 6088E00E
[Con, xrefs: 6088DFA1
..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 6088E9D4
__s < __min_cap, xrefs: 6088EA7C
,, xrefs: 6088E731
CEF_CRASH_REPORTER_RATE_LIMIT_ENABLED, xrefs: 6088DCA5
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6088EAA0
fig], xrefs: 6088DFAB
char_traits::copy overlapped range, xrefs: 6088E9C5
__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6088EAA5
S, xrefs: 6088EDAC
..\..\third_party\libc++\src\include\string, xrefs: 6088EA86
crash_reporter.cfg, xrefs: 6088EA52
larg, xrefs: 6088E4B5
__s should never be greater than or equal to the short string capacity, xrefs: 6088EA77
smal, xrefs: 6088E49D
medi, xrefs: 6088E4EA
CEF_CRASH_REPORTER_SERVER_URL, xrefs: 6088DC7D
%s:%d: assertion %s failed: %s, xrefs: 6088EA8B
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6088EAB6

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileModuleName_strlen
String ID: %s:%d: assertion %s failed: %s$,$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$CEF_CRASH_REPORTER_RATE_LIMIT_ENABLED$CEF_CRASH_REPORTER_SERVER_URL$S$[Con$[CrashKeys]$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range$crash_reporter.cfg$fig]$larg$medi$smal$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 2404361900-60179841
Opcode ID: 717df2daef5929c174a901cfc60d033b38c4dcfd6ca5478f2dadd3122fd54b7c
Instruction ID: 6540dfb147e3488f625a47a0534b49b203d72b09a285218d60d2383f2da83d58
Opcode Fuzzy Hash: 717df2daef5929c174a901cfc60d033b38c4dcfd6ca5478f2dadd3122fd54b7c
Instruction Fuzzy Hash: 5372A0F1E042398BDB65CB24CC80799BBB5EF65308F0448E9E64DA7241EB709E85CF59

Function 608B3C00 Relevance: 38.4, APIs: 20, Strings: 1, Instructions: 1659COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B3DFE
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608B3EA0
ReleaseSRWLockExclusive.KERNEL32(?,?,00000001,00000000,00004000,00000000), ref: 608B3F38

Strings

first, xrefs: 608B408C, 608B40EF, 608B4669, 608B4697, 608B46DD, 608B4FB2, 608B5186, 608B51DC, 608B520C, 608B525F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: first
API String ID: 1021914862-2456940119
Opcode ID: f603454bc9418d52e79af0c056a07daf3508d80a03c1c14c86c30fa8009cd109
Instruction ID: 67bd4ef94a73182f2a61f948fbc90a15ae9e68d49433951639114c3ad1468ad2
Opcode Fuzzy Hash: f603454bc9418d52e79af0c056a07daf3508d80a03c1c14c86c30fa8009cd109
Instruction Fuzzy Hash: 82D2ED71A087018FD709CF28C891B2ABBE2FFA5314F19896CE9959B395D731EC45CB81

Function 60885140 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 260
nativeCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlInitUnicodeString.NTDLL(?,FFFFFFFF), ref: 6088516F
NtQueryValueKey.NTDLL ref: 608852ED
NtQueryValueKey.NTDLL ref: 60885364
NtQueryValueKey.NTDLL ref: 608853D5
NtQueryValueKey.NTDLL ref: 60885407
NtQueryValueKey.NTDLL ref: 6088543D

Strings

null pointer given to destroy_at, xrefs: 60885389
null pointer given to construct_at, xrefs: 6088546E
__location != nullptr, xrefs: 60885473
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 60885395
__loc != nullptr, xrefs: 6088538E
\BLBeacon, xrefs: 60885144
%s:%d: assertion %s failed: %s, xrefs: 6088539A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: QueryValue$InitStringUnicode
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$\BLBeacon$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at
API String ID: 859960800-1453909569
Opcode ID: 5c3c3097e6f2a31700424ed35964d256c36315750f772b1369a01ee12189ec85
Instruction ID: 5666a21bfb488aed402fb9f5bc188945ab8ef73b3d44bdcd839dcde57622ff1e
Opcode Fuzzy Hash: 5c3c3097e6f2a31700424ed35964d256c36315750f772b1369a01ee12189ec85
Instruction Fuzzy Hash: 7491C3709043459EEF21CA788884B5F7FE5DF62724F184E59E426EB3E1C3B4D8898762

Function 608B0D00 Relevance: 18.4, APIs: 7, Strings: 3, Instructions: 919COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(-000000C0), ref: 608B15CB

Strings

size, xrefs: 608B12FC
span, xrefs: 608B12EF
first, xrefs: 608B1908

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLockRelease
String ID: first$size$span
API String ID: 1766480654-3452983260
Opcode ID: d401b6627694127fc917b9d6c52ddc3b116d0700bd2c714ce63e2d965ef923d6
Instruction ID: df80e3076a973cca422d3207d8328613220df26ec05021f3e1a336cd308ac55e
Opcode Fuzzy Hash: d401b6627694127fc917b9d6c52ddc3b116d0700bd2c714ce63e2d965ef923d6
Instruction Fuzzy Hash: BB82D171A047018FDB18CF28C480B9ABBE2FF98314F58896DE9999B395D730ED45CB81

Function 608B36F0 Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 608B2C10: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B2C53
Part of subcall function 608B2C10: ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 608B2D4A

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B38D2
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608B3971
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B39A5
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 608B3A51
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,00000000,00004000,00000000), ref: 608B3BE6

Strings

first, xrefs: 608B3B86, 608B3BC9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: first
API String ID: 1021914862-2456940119
Opcode ID: 9a735a9e406c16710a59c2242ac4efa25e415fd14003c2ef2f29a5a4f7da14da
Instruction ID: 48f81caddc683507b54dfc0aadd3bb8f6ffd581d4f4f6075fcb27200b99b95e7
Opcode Fuzzy Hash: 9a735a9e406c16710a59c2242ac4efa25e415fd14003c2ef2f29a5a4f7da14da
Instruction Fuzzy Hash: 71E114716043019FD708CF28C894B2ABBE2FF95314F29896CE9958B396E775EC45CB81

Function 60884FA0 Relevance: 3.1, APIs: 2, Instructions: 126nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(60885643,?), ref: 608850AB
NtOpenKeyEx.NTDLL(?,?,?,00000000), ref: 608850D6

Part of subcall function 60884970: RtlFormatCurrentUserKeyPath.NTDLL(?), ref: 60884995
Part of subcall function 60884970: RtlFreeUnicodeString.NTDLL(?), ref: 608849DD
Part of subcall function 60884970: GetCommandLineW.KERNEL32(?,?,?), ref: 608849F8
Part of subcall function 60884970: GetEnvironmentVariableW.KERNEL32(PROGRAMFILES,?,00000104,?,?,?), ref: 60884A0B
Part of subcall function 60884970: GetEnvironmentVariableW.KERNEL32(PROGRAMFILES(X86),?,00000104,?,?,?), ref: 60884A3A
Part of subcall function 60884970: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 60884A70
Part of subcall function 60884970: GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 60884A7C
Part of subcall function 60884970: GetCurrentProcess.KERNEL32(?,?,?), ref: 60884A88

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentEnvironmentStringUnicodeVariable$AddressCommandFormatFreeHandleInitLineModuleOpenPathProcProcessUser
String ID:
API String ID: 3669629139-0
Opcode ID: 59023ef12de0f3c98d6c575579fc664690939071c532231f4abc15163b32a0f3
Instruction ID: f09cf31c5eb9c549665fdcdddc04bdf88942167635f1a3a6d0772d3f27ce2f79
Opcode Fuzzy Hash: 59023ef12de0f3c98d6c575579fc664690939071c532231f4abc15163b32a0f3
Instruction Fuzzy Hash: 9741D1B1D04359AFDB05CF68D881BAE7BB5EFA5304F144829F806A7351EB309949CB91

Function 60885610 Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 60884FA0: RtlInitUnicodeString.NTDLL(60885643,?), ref: 608850AB
Part of subcall function 60884FA0: NtOpenKeyEx.NTDLL(?,?,?,00000000), ref: 608850D6

NtClose.NTDLL ref: 60885684

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CloseInitOpenStringUnicode
String ID:
API String ID: 2903745284-0
Opcode ID: a03824296286beb3edd5f8dffca0749f2adca58609462d5d24c5b38b417321d3
Instruction ID: 118ef5465531e66a0f038988a0202e045b94530f579dfb6cb6139741df9a2255
Opcode Fuzzy Hash: a03824296286beb3edd5f8dffca0749f2adca58609462d5d24c5b38b417321d3
Instruction Fuzzy Hash: 4801A2B1D10219AFDF00DFA8EC41A9FBF6AEF65224F804514FC1967381E7716D158BA1

Function 02A31049 Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6109f82b756fb1fc6acf1c22bd8726a98da775e79a205db3940149b96d4af783
Instruction ID: 6ccab44c19c018d43cde7fbf88c7b16f9125e9a68889e09b42098bcf3dffae08
Opcode Fuzzy Hash: 6109f82b756fb1fc6acf1c22bd8726a98da775e79a205db3940149b96d4af783
Instruction Fuzzy Hash: F1826D78610209CBEF56EBB5D654BAE7B73EB8C304F208424A90127B9DCB356D41DB32

Function 02A33860 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f70b988b028adc851c18f0ae9be8e6249e6c12fcb5303315ec06e8a3a93024e
Instruction ID: c54177465cc8bad5381f08417f211af5043ab94da3072507beef1d6bff69f409
Opcode Fuzzy Hash: 1f70b988b028adc851c18f0ae9be8e6249e6c12fcb5303315ec06e8a3a93024e
Instruction Fuzzy Hash: 55426C34B10215DFEB05EB79D994AAE7BB7EF88300F148469E516A77A8CF349C01CB90

Function 02A34F58 Relevance: .6, Instructions: 605COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b868cd8969c965613be84bed7144c41b6e52ef0abe90f6149314ddbfbff58e43
Instruction ID: ae4a776cb0c457728351130150945c7fc4ff546012cd2f508ac4d4312a5fb508
Opcode Fuzzy Hash: b868cd8969c965613be84bed7144c41b6e52ef0abe90f6149314ddbfbff58e43
Instruction Fuzzy Hash: 8D227B31F002158FDB05EF69D594AAEBBF2AF89710F648069E506EB364DF349D42CB90

Function 60876800 Relevance: 122.0, APIs: 97, Instructions: 740sleepmemoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01,00000000,?,00000000,?,?,60876E01,00000000,?,?), ref: 6087682C
GetLastError.KERNEL32(?,60876E01,00000000,?,?), ref: 60876856
GetLastError.KERNEL32 ref: 60876897
Sleep.KERNEL32(00000032), ref: 608768B1
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 608768BF
GetLastError.KERNEL32 ref: 608768C9
Sleep.KERNEL32(00000032), ref: 608768E7
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 608768F5
GetLastError.KERNEL32 ref: 60876903
Sleep.KERNEL32(00000032), ref: 60876921
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 6087692F
GetLastError.KERNEL32 ref: 6087693D
Sleep.KERNEL32(00000032), ref: 6087695B
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 60876969
GetLastError.KERNEL32 ref: 60876977
Sleep.KERNEL32(00000032), ref: 60876995
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 608769A3
GetLastError.KERNEL32 ref: 608769B1
Sleep.KERNEL32(00000032), ref: 608769CF
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 608769DD
GetLastError.KERNEL32 ref: 608769EB
Sleep.KERNEL32(00000032), ref: 60876A09
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 60876A17
GetLastError.KERNEL32 ref: 60876A25
Sleep.KERNEL32(00000032), ref: 60876A43
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 60876A51
GetLastError.KERNEL32 ref: 60876A5F
Sleep.KERNEL32(00000032), ref: 60876A7D
VirtualAlloc.KERNEL32(?,00000000,00003000,60876E01), ref: 60876A8B
GetLastError.KERNEL32 ref: 60876A99
Sleep.KERNEL32(00000032), ref: 60876AB7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$AllocSleepVirtual
String ID:
API String ID: 4039713267-0
Opcode ID: 854e283f43337664ecd129f4b8320cfe166b8ab0f7af1aa9f72dd26238b30705
Instruction ID: 114e64d03f3aaeaa1d45b6473b53b773e64d3194231b384484ee14f900cbde8d
Opcode Fuzzy Hash: 854e283f43337664ecd129f4b8320cfe166b8ab0f7af1aa9f72dd26238b30705
Instruction Fuzzy Hash: 3D42D13261810AAFDF23CF65CC5DB6E3F76EF16314F208824F545AA1A5DB3089A0DB52

Function 608B07F0 Relevance: 37.7, APIs: 30, Instructions: 182
memorysleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B081A
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B084D
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0867
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0877
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B08A0
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B08B0
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B08C0
GetLastError.KERNEL32(?,?,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B08E1
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B08FF
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B090F
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B091D
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B093B
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B094B
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0959
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0977
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0987
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B0995
Sleep.KERNEL32(00000032,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B09B3
VirtualAlloc.KERNEL32(?,00000001,00001000,?,?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B09C3
GetLastError.KERNEL32(?,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B09D1

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AllocErrorLastVirtual$Sleep
String ID:
API String ID: 1485398201-0
Opcode ID: aca324309c15db8166927b3d93d2f389a00874387acaf7e1d3bc5f479c53a56b
Instruction ID: efbb33c9e6cfac395b80c725df6330ee99965b52261ff1bd272c457472469296
Opcode Fuzzy Hash: aca324309c15db8166927b3d93d2f389a00874387acaf7e1d3bc5f479c53a56b
Instruction Fuzzy Hash: 8451B931259206EFDF238B12CD5DB5E3E36EB52796F200838F146A92B1D7708A80DED1

Function 60876590 Relevance: 37.7, APIs: 30, Instructions: 176
sleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000005,?,?,?,?,00000000,00000000,?,60876B27,?,?,00001000), ref: 608765AA
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 608765D0
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 608765EA
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 608765F8
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 60876606
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 60876614
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 60876620
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 6087663A
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 60876658
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 60876666
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 60876674
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 60876692
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 608766A0
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 608766AE
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 608766CC
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 608766DA
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 608766E8
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 60876706
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 60876714
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 60876722
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 60876740
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 6087674E
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 6087675C
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 6087677A
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 60876788
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 60876796
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 608767B4
VirtualAlloc.KERNEL32(00000005,?,?,?,?,60876B27,?,?,00001000), ref: 608767C2
GetLastError.KERNEL32(?,60876B27,?,?,00001000), ref: 608767D0
Sleep.KERNEL32(00000032,?,60876B27,?,?,00001000), ref: 608767EE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AllocErrorLastSleepVirtual
String ID:
API String ID: 2288223010-0
Opcode ID: 5f87c03f9077c5d8c8a7a8f80db21cf205f10c848d2c8727a2826667f816f9b1
Instruction ID: 2808ce26d23875d6ca2faa00e8801f74d66468652f737b0f20eb5f5907f0afff
Opcode Fuzzy Hash: 5f87c03f9077c5d8c8a7a8f80db21cf205f10c848d2c8727a2826667f816f9b1
Instruction Fuzzy Hash: 96514F3111910AEFCF229F62CC1DA6E3F76EF52359F108818F545994B9D7318AA4EF11

Function 60884970 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 114
libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlFormatCurrentUserKeyPath.NTDLL(?), ref: 60884995
RtlFreeUnicodeString.NTDLL(?), ref: 608849DD
GetCommandLineW.KERNEL32(?,?,?), ref: 608849F8
GetEnvironmentVariableW.KERNEL32(PROGRAMFILES,?,00000104,?,?,?), ref: 60884A0B
GetEnvironmentVariableW.KERNEL32(PROGRAMFILES(X86),?,00000104,?,?,?), ref: 60884A3A
GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 60884A70
GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 60884A7C
GetCurrentProcess.KERNEL32(?,?,?), ref: 60884A88

Strings

PROGRAMFILES(X86), xrefs: 60884A35
IsWow64Process, xrefs: 60884A76
\BLBeacon, xrefs: 60884974
kernel32.dll, xrefs: 60884A6B
PROGRAMFILES, xrefs: 60884A06

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentEnvironmentVariable$AddressCommandFormatFreeHandleLineModulePathProcProcessStringUnicodeUser
String ID: IsWow64Process$PROGRAMFILES$PROGRAMFILES(X86)$\BLBeacon$kernel32.dll
API String ID: 1360800022-3675488706
Opcode ID: 0c539c8914c5cb77996742cab7698dc3ba947c64ba7a4769a9abd8c1fbf50f02
Instruction ID: 5e1125283928d3a51bf31d0b3e5dbf3b70cab483b8fc88e49eaafd32b894341e
Opcode Fuzzy Hash: 0c539c8914c5cb77996742cab7698dc3ba947c64ba7a4769a9abd8c1fbf50f02
Instruction Fuzzy Hash: 27314B726442286BEB15DB759C8DFAF3FAEDF72349F000424F805E6281EB709945DBA1

Function 60879A70 Relevance: 15.9, APIs: 2, Strings: 7, Instructions: 124
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000025,__location != nullptr,null pointer given to construct_at), ref: 60879B56
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000025,__location != nullptr,null pointer given to construct_at), ref: 60879B66

Strings

__s2 < __s1 || __s2 >= __s1+__n, xrefs: 60879B10
char_traits::copy overlapped range, xrefs: 60879B0B
..\..\third_party\libc++\src\include\string, xrefs: 60879B04
__n == 0 || __s != nullptr, xrefs: 60879AFA
..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 60879B1A
basic_string(const char*, n) detected nullptr, xrefs: 60879AF5
%s:%d: assertion %s failed: %s, xrefs: 60879B1F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: PerformanceQuery$CounterFrequency
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$__n == 0 || __s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*, n) detected nullptr$char_traits::copy overlapped range
API String ID: 774501991-1402792131
Opcode ID: ec1a68f04c2c1bfc31c7f1bcdfc14e4f05f240e5c8ae66f92b335ee33c64fc92
Instruction ID: f46a7a0fb9256708ccc549d35a7be662dcc5a0021519d59dc90449e186b0fa63
Opcode Fuzzy Hash: ec1a68f04c2c1bfc31c7f1bcdfc14e4f05f240e5c8ae66f92b335ee33c64fc92
Instruction Fuzzy Hash: BF4113B0508718AFC711DF29C88185EFBEAFFA6354F108A1AF8C9A7265DB30D544C792

Function 608F092A Relevance: 13.8, APIs: 9, Instructions: 273
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 608F0D2F: CreateFileW.KERNELBASE(565753E5,89167401,1839FFFD,8B08758B,D043E8CF,8BE85653,00000000,6090E636,608F09D3,68F1890C,6090E61E), ref: 608F0D4C

GetLastError.KERNEL32 ref: 608F0A3E
__dosmaperr.LIBCMT ref: 608F0A45
GetFileType.KERNEL32(00000000), ref: 608F0A51
GetLastError.KERNEL32 ref: 608F0A5B
__dosmaperr.LIBCMT ref: 608F0A64
CloseHandle.KERNEL32 ref: 608F0A84
CloseHandle.KERNEL32(89167401), ref: 608F0BD1
GetLastError.KERNEL32 ref: 608F0C03
__dosmaperr.LIBCMT ref: 608F0C0A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID:
API String ID: 4237864984-0
Opcode ID: f800e1793f538e60c033ef0123901c6b946a58889b29aab1d2f12cdcd47adbc2
Instruction ID: 2c5744c9a60984601ba9ede7c056576cf4ec2ee68283350ae5adbfb42bc8fa0d
Opcode Fuzzy Hash: f800e1793f538e60c033ef0123901c6b946a58889b29aab1d2f12cdcd47adbc2
Instruction Fuzzy Hash: 56A12132A182589FCF0ADF78DC51BAD3FB2EB17364F140559E811AB291EB348852CB91

Function 02A3C060 Relevance: 8.9, Strings: 7, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UQp^, xrefs: 02A3C2BA
+VQp^, xrefs: 02A3C1F2
KVQp^, xrefs: 02A3C18E
{VQp^, xrefs: 02A3C0F8
kVQp^, xrefs: 02A3C12A
[VQp^, xrefs: 02A3C15C
;VQp^, xrefs: 02A3C1C0

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID: +VQp^$;VQp^$KVQp^$[VQp^$kVQp^${VQp^$UQp^
API String ID: 0-1312034515
Opcode ID: bdf0092a29f3764842e078155ab9703b2545c559b62b1a2a24040bb69fc89df9
Instruction ID: 84543aba2346e75290646f2b2268a90e3e6ded30c81f1f2e3d47332a1a400380
Opcode Fuzzy Hash: bdf0092a29f3764842e078155ab9703b2545c559b62b1a2a24040bb69fc89df9
Instruction Fuzzy Hash: AF714632601B019BC75AEB35C95054BBBB2FF85204358CA2E92578BB55EF72FD068BC1

Function 02A3C070 Relevance: 8.9, Strings: 7, Instructions: 180
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

UQp^, xrefs: 02A3C2BA
+VQp^, xrefs: 02A3C1F2
KVQp^, xrefs: 02A3C18E
{VQp^, xrefs: 02A3C0F8
kVQp^, xrefs: 02A3C12A
[VQp^, xrefs: 02A3C15C
;VQp^, xrefs: 02A3C1C0

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID: +VQp^$;VQp^$KVQp^$[VQp^$kVQp^${VQp^$UQp^
API String ID: 0-1312034515
Opcode ID: 904186f0f51ef95950cda9a27fa01513fa3d0cb0d068909bf0a91e97fe9ce9b9
Instruction ID: abc7042614fb456e28e04706ec146370c2bffebf285e74807d31139356312e04
Opcode Fuzzy Hash: 904186f0f51ef95950cda9a27fa01513fa3d0cb0d068909bf0a91e97fe9ce9b9
Instruction Fuzzy Hash: 507136326017019BC75AEB35D95054BBBB2FF85204358CA2E82578BB55EF72FD068BC1

Function 608DE63E Relevance: 7.6, APIs: 5, Instructions: 87
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

dllmain_raw.LIBCMT ref: 608DE67B
dllmain_crt_dispatch.LIBCMT ref: 608DE692
dllmain_raw.LIBCMT ref: 608DE6DA
dllmain_crt_dispatch.LIBCMT ref: 608DE6ED
dllmain_raw.LIBCMT ref: 608DE700

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 86b7edd1bb62c828949d2bf0198ec02e7df7fd3575d31152f31edee4af1e05e5
Instruction ID: fb5f89000f672f65fd0aaac0f66ea5a3e760d4ac9ff719a6aa1f11e0cbf30a57
Opcode Fuzzy Hash: 86b7edd1bb62c828949d2bf0198ec02e7df7fd3575d31152f31edee4af1e05e5
Instruction Fuzzy Hash: C0219171D04628ABDB62EF59D881A6FBA79EBB1A94F014F15F8155B390F730CD01CB90

Function 608B2010 Relevance: 4.6, APIs: 3, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,00000000,?,60877598), ref: 608B2021
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,00000000,?,60877598), ref: 608B2167
ReleaseSRWLockExclusive.KERNEL32 ref: 608B21BA

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID:
API String ID: 1021914862-0
Opcode ID: b95873c4163693c9e28e70e7198c83805c2c3ea500022436632a9d1c4fa8879d
Instruction ID: 22aee354d3f2d0971a74ce946c115a3f66a9b198cb26301ff659598d9fde4f42
Opcode Fuzzy Hash: b95873c4163693c9e28e70e7198c83805c2c3ea500022436632a9d1c4fa8879d
Instruction Fuzzy Hash: 4F41CF709087858BE706EF3CC94029EFFA1FF26304F448E29D9945A311EB75A999C7C1

Function 60876AD0 Relevance: 3.8, APIs: 3, Instructions: 95COMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?,6087656E,FFE00000,00000002,?,608B1D5F,00000002,FFE00000,?,00000002,FFE00000,?,?), ref: 60876ADD

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 6be7f8772fcea88fe8cac7f45fcb13efd427d7bee8e756adf7eed5eb6622e335
Instruction ID: ee549113ddccf31326768f715c98957db716dd82d54f662d7c5dd9fec1aa70f3
Opcode Fuzzy Hash: 6be7f8772fcea88fe8cac7f45fcb13efd427d7bee8e756adf7eed5eb6622e335
Instruction Fuzzy Hash: 5E11937074820CABEB288A19CC14B593F5AFB63354F208C25FB04DB688DA75AC615695

Function 60885D10 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(type,?,?,?,?,?,00000000,00000001,?,?,60871637), ref: 60885D40

Strings

type, xrefs: 60885D36

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CommandLine
String ID: type
API String ID: 3253501508-2363381545
Opcode ID: bffc60ebf5563bf99e0fbd906dc12744f6e916bd1d8adcbd3aad09ea3192c515
Instruction ID: 44e5ebedca0f0e1787c1a6fbe8efe6600ca08e618a8f08da2524e10f3b57177e
Opcode Fuzzy Hash: bffc60ebf5563bf99e0fbd906dc12744f6e916bd1d8adcbd3aad09ea3192c515
Instruction Fuzzy Hash: C711E3B1D002195BCF11DB75DC09A9FBFB6EF65318F048839E80A76241EB31AA49CB91

Function 608B5DA0 Relevance: 3.3, APIs: 2, Instructions: 273COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B5F97
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B6001

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: f00fe601c32139e88cd35a316c57cdb4e34e4fda6c57c3cd970e9d2c769fd088
Instruction ID: 74ace669939198986b2803fb9a79efed623deba857a83cc8bba9443a896ca2e9
Opcode Fuzzy Hash: f00fe601c32139e88cd35a316c57cdb4e34e4fda6c57c3cd970e9d2c769fd088
Instruction Fuzzy Hash: 7FA1F132A006068FD705CF69C484B65FBF2FF55314F188A68E9199B392DB39ED51CB80

Function 608B1A20 Relevance: 3.2, APIs: 2, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f01e2e6735700534cfda2c76c12cad2265e9b4f0515046bae61652ea63c8fea8
Instruction ID: e9ef276b1519de4a6f33c3ae4ae7ed1c37f79c178c09583a47900ff885c7ea8e
Opcode Fuzzy Hash: f01e2e6735700534cfda2c76c12cad2265e9b4f0515046bae61652ea63c8fea8
Instruction Fuzzy Hash: 66A1E171B00A129FDB18CF29C890BE9B7F5FF94314F54852DE8299B795D734A841CB80

Function 608DE3FB Relevance: 3.1, APIs: 2, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 608DE448

Part of subcall function 608DE80B: InitializeSListHead.KERNEL32(60976558,608DE452,609590A8,00000010,608DE5FB,?,00000000,?,00000007,609590C8,00000010,608DE60E,?,?,608DE697,?), ref: 608DE810

___scrt_is_nonwritable_in_current_image.LIBCMT ref: 608DE4B2

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Initialize$HeadList___scrt_is_nonwritable_in_current_image
String ID:
API String ID: 3231365870-0
Opcode ID: e80d36666a89ce741458ff05ce109ccbedccbc5a7fa2b8dc13f07891cbebb015
Instruction ID: c66486eca138698ff48a826990ba39374da7531cc15e802f56c6b6d80ba39e18
Opcode Fuzzy Hash: e80d36666a89ce741458ff05ce109ccbedccbc5a7fa2b8dc13f07891cbebb015
Instruction Fuzzy Hash: 5721E4322487009ADB05EBBDA80679CBB73DB7622CF104E69E4516B3C1FB715444EB69

Function 608DE502 Relevance: 3.1, APIs: 2, Instructions: 90COMMONLIBRARYCODE

Download Yara Rule

APIs

__RTC_Initialize.LIBCMT ref: 608DE549
___scrt_uninitialize_crt.LIBCMT ref: 608DE563

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Initialize___scrt_uninitialize_crt
String ID:
API String ID: 2442719207-0
Opcode ID: 5f2a52ba804d10fa86e9c5c9c6a78905fa85b4cc768ef6ce5db137545af8f8b7
Instruction ID: f619260cba7d3b35147d8f674096125212dc927d92a77efbc1354dd369ca4e8c
Opcode Fuzzy Hash: 5f2a52ba804d10fa86e9c5c9c6a78905fa85b4cc768ef6ce5db137545af8f8b7
Instruction Fuzzy Hash: C421B0729182259ADB00EBBCA80679CBBB1EB7569DF104F15E050963D0FB719940EB51

Function 608F9C8B Relevance: 2.6, APIs: 2, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(8955CCCC,6090E74C,608EE571,608F8B90,8955CCCC,00000000,6090E6C6,608DEEAE,00000000,6090E74C,8955CCCC,6090E746,?,?,6090E6DA,60920573), ref: 608F9C8F
SetLastError.KERNEL32(00000000), ref: 608F9D31

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 13b47325c31d5737254bf413610c0fe0702c185d791fe17e34d08b24e5c1926c
Instruction ID: 49f303c0561ada70e4c7f4eb2ecc2cf0ae557a11e1e68d8958e3973a17d61572
Opcode Fuzzy Hash: 13b47325c31d5737254bf413610c0fe0702c185d791fe17e34d08b24e5c1926c
Instruction Fuzzy Hash: BF118A7155821D6BD602EFB9CCC5D2B3E5AEB622FD7200D20F594952A0EB654C43B168

Function 608B07C0 Relevance: 2.5, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000001,00004000,?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B07CE
GetLastError.KERNEL32(?,608B1E3F,00000001,?,00000001,?,?,?,6090CFA4), ref: 608B07DA

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFreeLastVirtual
String ID:
API String ID: 499627090-0
Opcode ID: fda46d43fa9917324260eeaa09c7fed450adda25edde7d698f758f131703b27c
Instruction ID: 9d7e61dde770db06408ddc2741a0553e8dbc45a9977bdcaa7788b21e517700b0
Opcode Fuzzy Hash: fda46d43fa9917324260eeaa09c7fed450adda25edde7d698f758f131703b27c
Instruction Fuzzy Hash: 15D0C97124420DBBAF115F66ED08B197F6AAB11651F008850FA18A99B1EF32E850AE58

Function 02A3B0B0 Relevance: 1.9, Strings: 1, Instructions: 680COMMON

Download Yara Rule

Strings

eQp^, xrefs: 02A3B23E

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID: eQp^
API String ID: 0-3406041080
Opcode ID: b133f90f4edd09a8e3b22a91eafbbdc87f322a873f1fc310765fa499fd3892d8
Instruction ID: 7cc144cd37308981ac5b0612dbfc2e5ba2f1fdc9330f12eac00e53093968efe0
Opcode Fuzzy Hash: b133f90f4edd09a8e3b22a91eafbbdc87f322a873f1fc310765fa499fd3892d8
Instruction Fuzzy Hash: 7F524934A11200CFCB69EF64D59896D7BB3FF88309B948469E41A8B369DF399C46CF50

Function 60884D30 Relevance: 1.6, APIs: 1, Instructions: 149COMMONLIBRARYCODE

Download Yara Rule

APIs

GetNativeSystemInfo.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?,6088433A,?), ref: 60884D9F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InfoNativeSystem
String ID:
API String ID: 1721193555-0
Opcode ID: 85818ff2d844d456d75bd59dae658923469875d69e267c07edf757ec88e5d411
Instruction ID: ae611975abc4d718439556a3ee35d04560f63129088dfbce5486d0d916897e26
Opcode Fuzzy Hash: 85818ff2d844d456d75bd59dae658923469875d69e267c07edf757ec88e5d411
Instruction Fuzzy Hash: F751A172E0421CDFCB25CFA8C48069DFBFAFFA9325F149929E455AB251D7709881CB80

Function 60887270 Relevance: 1.6, APIs: 1, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,00000000,00000104), ref: 608872B8

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 07265fc4f9e8f578bd33b732c5dc616247344aff6cb9a42dad8daedf180eb46c
Instruction ID: 8f35ba789f31f9aa2084431751e63e0b5917eb81df90d28c122c0df7843ae1ec
Opcode Fuzzy Hash: 07265fc4f9e8f578bd33b732c5dc616247344aff6cb9a42dad8daedf180eb46c
Instruction Fuzzy Hash: 372192B1D002095BDB10DFAADC459AFFFB8EFA5304F404829E459B6341D771A945CBA1

Function 608F7CC4 Relevance: 1.5, APIs: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,608E226B), ref: 608F08E2

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 8083744c7be8d62a89410e3c1a19de8597f362c83b2bcdc411963605980039ba
Instruction ID: 3a413ec632b70a4a9715f3f91dd3ba7504e1ed4c7151606e7e13d72ba30da0dd
Opcode Fuzzy Hash: 8083744c7be8d62a89410e3c1a19de8597f362c83b2bcdc411963605980039ba
Instruction Fuzzy Hash: 00F0963515030D7AFF029A759C07B6A3E19DF657D8F400824BE18680D2EFA288639651

Function 608F0D2F Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(565753E5,89167401,1839FFFD,8B08758B,D043E8CF,8BE85653,00000000,6090E636,608F09D3,68F1890C,6090E61E), ref: 608F0D4C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 9aea7e10478eecdc287d4fb53e82d252cc4570ef2347cda586b5e078638e8fca
Instruction ID: 65235e12144e7ac5fda844c098909282558d5f24c8aa610b27e510029948700b
Opcode Fuzzy Hash: 9aea7e10478eecdc287d4fb53e82d252cc4570ef2347cda586b5e078638e8fca
Instruction Fuzzy Hash: 07D06C3201010DBBDF028F85DD06EDA3FAAFB48714F014000BA1866020C736E821AB91

Function 02A3C798 Relevance: 1.4, Strings: 1, Instructions: 133COMMON

Download Yara Rule

Strings

s@Qp^, xrefs: 02A3C95C

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID: s@Qp^
API String ID: 0-2756662502
Opcode ID: a925dc600d41947d6094bc778275c36001c9e646d50060e60b781d60f0c2bec3
Instruction ID: bb07b905ba015f661c6aedc95925b275bc6c5746fd74ec17c45208f6feeefe06
Opcode Fuzzy Hash: a925dc600d41947d6094bc778275c36001c9e646d50060e60b781d60f0c2bec3
Instruction Fuzzy Hash: 095108326007019BC35ADF35D85155ABBA2FF89214358CA2EC25AAB755EF31F9068FC1

Function 02A31058 Relevance: .8, Instructions: 835COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82c0e73001d09f8347339ee543c2af051a7d6a25ecff8e612a27dc1813a03ea0
Instruction ID: 3c9ce6efb1d7490df80886fd3170a17cf880e6d36d74116fa2369c6a3bfe4afc
Opcode Fuzzy Hash: 82c0e73001d09f8347339ee543c2af051a7d6a25ecff8e612a27dc1813a03ea0
Instruction Fuzzy Hash: 3D826D78610209CBEF56EBB5D654BAE7B73EB8C304F208424A90127B9DCB356D41DB36

Function 02A3AF90 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f45f7d22bd2d07217416b00b0c2dc109e1d02b1844f59082acd789d492cf0194
Instruction ID: c41f7d073b2016e3e1694ab58a85fc9cad9cb33df4af814727398111b74f29fc
Opcode Fuzzy Hash: f45f7d22bd2d07217416b00b0c2dc109e1d02b1844f59082acd789d492cf0194
Instruction Fuzzy Hash: 1761C1319093908FDB07EB79D8652C97FB1EF87208F0A44DFD1518F1A7EA245909CBA6

Function 02A3BB99 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2096f703497cc61d978016b31f87e22733d7013ca4b6861b44d86f37c862a43a
Instruction ID: ad06ac7c129396d7cd126017defe90ade20181d2f2554b20782ea4492de9c23d
Opcode Fuzzy Hash: 2096f703497cc61d978016b31f87e22733d7013ca4b6861b44d86f37c862a43a
Instruction Fuzzy Hash: C781FA78629105CFC3A5EB15E688919BBF3FB4830CBA0CA75D1094B719DB78A849CF40

Function 02A3385A Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c96c617ef9aae728444be8dddf4e32df331a90d9d2c8d1b424ccc4dd5c5816
Instruction ID: 9f123073f09904d6a4d84c8119647b9657458c65c1e0d7d9847f6a7263b123e6
Opcode Fuzzy Hash: 24c96c617ef9aae728444be8dddf4e32df331a90d9d2c8d1b424ccc4dd5c5816
Instruction Fuzzy Hash: 8E611934A11219EFDB05DFA9E994AAEBBB2FF8C310F144055F905A7354DB34AC41CB90

Function 02A335F0 Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f36f08d756691c5d908c83ebea13af767d4c34348e97c11769441a143fd0459a
Instruction ID: 621f7c2b7d636b44be8519880832a006d81b5c4232bada1dda6cc76a53697085
Opcode Fuzzy Hash: f36f08d756691c5d908c83ebea13af767d4c34348e97c11769441a143fd0459a
Instruction Fuzzy Hash: 4041E6367102054FEB19B736A8A073F36D7EBC9664768492CE516CB398EE348D0687D1

Function 02A35AA0 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aec467b2090028d686b2014894da9cdd9ffc2e8a96f3694f2e78a183c57e1af
Instruction ID: 899cfd63338bcde5fa8f36744bb21b190528ba8af7eb12c5bdc9c2be8888a3c7
Opcode Fuzzy Hash: 8aec467b2090028d686b2014894da9cdd9ffc2e8a96f3694f2e78a183c57e1af
Instruction Fuzzy Hash: 0C51F675B106068FCB04DFA9D594A6EBBF6FF8C214B5140A9E50ADB361DB30ED05CBA0

Function 02A3BEAF Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a4aafe6c1b73918bcaa55361974f323344e84f54516d179e4b91a23b601cda
Instruction ID: c26b4a278ec1f104761587c8b09695e8ad58591628ad58680c6e3e7c48f3ddfe
Opcode Fuzzy Hash: 54a4aafe6c1b73918bcaa55361974f323344e84f54516d179e4b91a23b601cda
Instruction Fuzzy Hash: 2A416C347106048FC744EF79C894A6EBBE6FF88714B2580A9E916DB3B5CA71EC018B90

Function 02A3BEC0 Relevance: .1, Instructions: 108COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b22d1f97e4889d1dad24b29fdb97cbd861ed1cbea39ca370aeb312ebc0ffb4
Instruction ID: f33c5fb11951645820900a88ccea5dd1da0e2e4c63779d024e6eea4bf9646be5
Opcode Fuzzy Hash: d3b22d1f97e4889d1dad24b29fdb97cbd861ed1cbea39ca370aeb312ebc0ffb4
Instruction Fuzzy Hash: 5D414C347105058FCB44EF6DC894A2EBBE6FF88710B2580A9E516DB3B5CE71EC018B90

Function 02A32850 Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d164c3b44098607ac28caa6e0bdfea708547afdf4d52fee3d03903ea3dfe93d
Instruction ID: b42bb95a4e6469fa2eea3d1cd93f21df1bfd0fc305c92308ecd48f62ac65c95c
Opcode Fuzzy Hash: 5d164c3b44098607ac28caa6e0bdfea708547afdf4d52fee3d03903ea3dfe93d
Instruction Fuzzy Hash: EF41F434E10209CFDB15EFA5E584AADBBB2FF88305F104529E902AB654EF359841CF50

Function 02A35A91 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a26c2aaf914f606cd1242c3591e851adc8ff7dbbfe7812f6fc41a95ad8dcdb47
Instruction ID: 53b87531e0cf3b19479cbb829bbc08c4a05cc06ef2ec8a339d26f1285f5e6676
Opcode Fuzzy Hash: a26c2aaf914f606cd1242c3591e851adc8ff7dbbfe7812f6fc41a95ad8dcdb47
Instruction Fuzzy Hash: 23312775F002068FCB04DF69D984A6ABBF6FF8C214B518169E519DB321DB30ED05CBA0

Function 02A32B10 Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f225b34369c1b748ff78add24d26118cb112cd7dfab264b73cc0a6974a38f50
Instruction ID: 72d34603a1c9a839a5292c826c5aa623400d2b1e42ae420e14550f4ae70a1328
Opcode Fuzzy Hash: 5f225b34369c1b748ff78add24d26118cb112cd7dfab264b73cc0a6974a38f50
Instruction Fuzzy Hash: 053184393011158FCB19AB34D89469E33B3ABCA6657A0467CD056DB3B4DF39DC46CB90

Function 02A32B20 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4085f3d7610b6d040e8d92d45517ee6fefcec56ce02ff4b82fa3434a40e18922
Instruction ID: 2a694f0793c925dc8f77a524f4c21d18a2a77283ecf19e6d18624b0b42ca835c
Opcode Fuzzy Hash: 4085f3d7610b6d040e8d92d45517ee6fefcec56ce02ff4b82fa3434a40e18922
Instruction Fuzzy Hash: 413130383011058FCB19EB34D994A5E33B3ABCA6553A0467CD156DB3A4DF39DC46CB90

Function 02A32842 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e96fd23b04745fb28a170ea77ea20fc1b78cdb5654498eb69a807ce0a6d4cd
Instruction ID: d0cb93ffeb367ada76551021fa4758d8fb2ad3b0e8fb4a770234281b6c308126
Opcode Fuzzy Hash: 91e96fd23b04745fb28a170ea77ea20fc1b78cdb5654498eb69a807ce0a6d4cd
Instruction Fuzzy Hash: 9C314930E10209DFDB15EFB5E5856EDBBB2FF88304F104A29E902AB254EF355845CB61

Function 02A35308 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7aeb85c126e883ad6c3cfc1273adab1fc76bfc05309786959cdd222f9af2b48
Instruction ID: b62cd63a30f46883dd3ddf5ee126a5a562c2ced43bffcd4e37634c2907522caa
Opcode Fuzzy Hash: a7aeb85c126e883ad6c3cfc1273adab1fc76bfc05309786959cdd222f9af2b48
Instruction Fuzzy Hash: CB411735A111189FDB05EFA9E5849ADBBF2BF8C305B648069E802A7364DF34AD41CF90

Function 02A32C48 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b05b06e51cf2e47a087feb334ebc59b41cc777e422e28718abffd1e9016234e
Instruction ID: a6db84b3920015bd985ce151d4b9fcb29ef243465a9ef0b12e3e4c07fc26a635
Opcode Fuzzy Hash: 0b05b06e51cf2e47a087feb334ebc59b41cc777e422e28718abffd1e9016234e
Instruction Fuzzy Hash: 4941303491020ACFEB15EFA5D9856EEBBB1FF8C304F10552AE901A7754EB345A41CF91

Function 02A32C58 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec672ca71b930fabea7fda9fd592f4ef964a0815ea8530d6594f7de3784edddb
Instruction ID: b3d8b25d32286cb78974235d53902b4b272f0571049e9d42a78e45855d039d3a
Opcode Fuzzy Hash: ec672ca71b930fabea7fda9fd592f4ef964a0815ea8530d6594f7de3784edddb
Instruction Fuzzy Hash: BA31FD3491020ACFDB14EFA5D9859EEBBB1FF8C304F10552AD901A7754EB346A41CF91

Function 02A34B70 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 983a67110032ef4ee858262de03997a718a308a413622d7cb663251f740d3e5f
Instruction ID: efb8bf4fc5e5abfdaacbd693cdc27bbaf0cf02e7a5089d2b56fd62767e53f59c
Opcode Fuzzy Hash: 983a67110032ef4ee858262de03997a718a308a413622d7cb663251f740d3e5f
Instruction Fuzzy Hash: B521D6312103029FD715FB3AE881B5E7BA6FFC8214F448A2DD1168B655EF70AD098B95

Function 02A3CEC0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39c347277cfe67ecdcc588718b8979c044662b4a66fd39b9e960b97c380d418d
Instruction ID: 30fcba59cb0455b2415c97abb867f4567a5c3aac9c9907743b46c511031193e1
Opcode Fuzzy Hash: 39c347277cfe67ecdcc588718b8979c044662b4a66fd39b9e960b97c380d418d
Instruction Fuzzy Hash: 48214474C00348DFDB22CFA9D989B9DBFB2BB48724F14846AE809B7240CB795945CF90

Function 02A34B80 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9462768fbda8e852dbfc26aa32c94a58310cb0e4004391cd8d86084ff1cbfe0e
Instruction ID: 2dbc3adc2ff938060558a0e87fe5f05966687b956b6070f8da6d918ca6f92dc0
Opcode Fuzzy Hash: 9462768fbda8e852dbfc26aa32c94a58310cb0e4004391cd8d86084ff1cbfe0e
Instruction Fuzzy Hash: 1821BB302103039FD719FB7AE881A5E7BA6FFC8214B448A2DD1154B654EF707D098BE5

Function 02A3CED0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c80bbfabbd609d4fbe82cc6d7d7b1b62eaac1e112ee1101c06819ab3d5b5081b
Instruction ID: 257c0be193699ea6f6ffcb0534253c02364f7ea5b2f6a3c6195af3dd03c040d6
Opcode Fuzzy Hash: c80bbfabbd609d4fbe82cc6d7d7b1b62eaac1e112ee1101c06819ab3d5b5081b
Instruction Fuzzy Hash: 41212674900348DFDB26CFA9D999B9EBFB6BF48324F14845AE805A7340CB795906CF90

Function 02A35C68 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61c85e028473ca9c8a22d43da5e54f2077ec354b6962b5f86bb741da141fa35
Instruction ID: 3470657a63b06c6a7955a6e2c9b7c7ee5474b92af48e74b850db6b98be4a92ce
Opcode Fuzzy Hash: b61c85e028473ca9c8a22d43da5e54f2077ec354b6962b5f86bb741da141fa35
Instruction Fuzzy Hash: 38212735E002188FDB05CBA9D588ADDBBF1AF4C314F6011A5E505BB360DB75AE44CBA0

Function 02A36888 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcded8f1fa7cedff6ed331b92e9d30058198d2571db615b60feb99559f348926
Instruction ID: d151e0e6a8c73134b791ae15e8cf1589006037e2ec10ee0de27aa91209c9cc83
Opcode Fuzzy Hash: bcded8f1fa7cedff6ed331b92e9d30058198d2571db615b60feb99559f348926
Instruction Fuzzy Hash: 4D11DF71900219EFDB09DFA4CA897AEBBF6BB05704F108469E401B7251DF768A04CF54

Function 02A35C5B Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffae12ccdc2b2a2f7739bb67df251add196a6d8a84b234bea34f9b6d15eb8efd
Instruction ID: bd39b53b70b9b9f6f7fb91b2ae002ca8cc91b5f5ffb759b628a5c505880ee34b
Opcode Fuzzy Hash: ffae12ccdc2b2a2f7739bb67df251add196a6d8a84b234bea34f9b6d15eb8efd
Instruction Fuzzy Hash: E4111735E002588FDB05CBA9C598BEDBBF1AF4C314F641599E502BB361DB759E80CBA0

Function 02A341A2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 726e29bd760eee87b8a5510f5515798d9bd0a5c82623c89f51def8ab19d2de9d
Instruction ID: 632d314ba3eba1916cd03b0796e20d1d7b0379aa1dc240fce8ac7c2f1dfe4e71
Opcode Fuzzy Hash: 726e29bd760eee87b8a5510f5515798d9bd0a5c82623c89f51def8ab19d2de9d
Instruction Fuzzy Hash: 3B017B327083515FDB1A7335AC713AF3FBAEBCA120798045EE105DB381CE251C0983A5

Function 02A34248 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f5852521ec441da7f13c06e71738681cf9bc088fe0766b1c2788f237cc2908d
Instruction ID: 78d96e92455cebd9c234b9d676cc9e626d7d93652014c6e5ce14775a4c931557
Opcode Fuzzy Hash: 7f5852521ec441da7f13c06e71738681cf9bc088fe0766b1c2788f237cc2908d
Instruction Fuzzy Hash: B6019C323042404FD706A37A642423E3BA3FFC6520388409EE0818B354DE685C06C7D5

Function 02A35911 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21920c7ae95ee30dfcc7b4393e9ab045fc959d46ded8b188b3478d150556e628
Instruction ID: 60d835bfda82c988d600066eb5026ea0936745167f984f605c6c8bed3c09baa6
Opcode Fuzzy Hash: 21920c7ae95ee30dfcc7b4393e9ab045fc959d46ded8b188b3478d150556e628
Instruction Fuzzy Hash: 5801F2727102109FD301AB2AE885A1E7FFAEB9A21431880AAE440C7311DA398C01CBA1

Function 02A3C000 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bd3bc6ec34ecee32e183ee3e2392334d6b940c70b391870adab2fcdab04896
Instruction ID: 43ef865ea2e040a252cc2562c646bd754d62480cc3c88ce6cf5ba393c81fcf2f
Opcode Fuzzy Hash: 72bd3bc6ec34ecee32e183ee3e2392334d6b940c70b391870adab2fcdab04896
Instruction Fuzzy Hash: D311AD30320216CFDB10EB3AE854A99BBF2FF8870871045ADE106CB625DB32AD018B81

Function 02A332E0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3fc2d710e06de81b42b7aa51d75fb5034ac8c7232be97a2812a68762b925e00
Instruction ID: 2a2abb95a00678be3253fd478707e7e06078b03fbb5c346678f5423abbb2b52f
Opcode Fuzzy Hash: a3fc2d710e06de81b42b7aa51d75fb5034ac8c7232be97a2812a68762b925e00
Instruction Fuzzy Hash: 7E110939A202449BEB08EFB4E559BAE7FF2AB88305F448469E90297740DF395806CF50

Function 02A35940 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f22014a089f64fff55dc68d8ce0bc2d38e25f76198aa7139cb81c254f20e0a
Instruction ID: fe59b167dae8907fda6af25e851d65a0871f476ac4b7a1827aba8f6c0f2844b4
Opcode Fuzzy Hash: d8f22014a089f64fff55dc68d8ce0bc2d38e25f76198aa7139cb81c254f20e0a
Instruction Fuzzy Hash: 4A01A4777102108F8704AB7AF49482EBBE6FBDD665354457AFA05C7300DE329C02CBA1

Function 02A32A80 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 748109dc516a954b58e986a48e6f92c87e47634937a0fb76aff97c99bc014f6e
Instruction ID: 4e69221114536bdb6ac22629a50f0f8f2a7a5955ce44a224ff00d3e2d6a6880e
Opcode Fuzzy Hash: 748109dc516a954b58e986a48e6f92c87e47634937a0fb76aff97c99bc014f6e
Instruction Fuzzy Hash: 030178316107048BCB11EB39D448A9B7BE2FF85625B048969E126CF724DB75EC048FC0

Function 02A332F0 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a4ff1e4d2328ca26fe3690645c71943abf21e1b437f04114c910daa35bf067e
Instruction ID: 6f6fd680f41ad18607ea9b5c3fd2e742321b49e2470cb99cd8273c2832fd1b82
Opcode Fuzzy Hash: 7a4ff1e4d2328ca26fe3690645c71943abf21e1b437f04114c910daa35bf067e
Instruction Fuzzy Hash: 3501ED38A20244DBEB08EFB4E55979D7FF2BB88301F008469E90297640DF395806CF50

Function 02A32A90 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec187ba1b55b14a35a2445e520c83b913908cc92082064a2a441ab01d6bff38e
Instruction ID: 12142fc2c8bbe2b787b2534fee5e663ccdec6103e9d7551ee2860a6708672c95
Opcode Fuzzy Hash: ec187ba1b55b14a35a2445e520c83b913908cc92082064a2a441ab01d6bff38e
Instruction Fuzzy Hash: ECF042316207048BCB14AB39C44888B7BE2FF856297048969E166CB324EFB1EC088FC0

Function 02A337F0 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d3cb2660d8c2b706a03110dbfda1d6a6fd87ec49aa0819a040b7c10d33a8a7
Instruction ID: 148d7a6fd8fa87f94597d7fd7793756cf514ea9a86f448e386be9d17681d25ee
Opcode Fuzzy Hash: a1d3cb2660d8c2b706a03110dbfda1d6a6fd87ec49aa0819a040b7c10d33a8a7
Instruction Fuzzy Hash: 47F052327142505BEB19AB7A681067E36EB9BC9620718467AF619C73D0CF254C0683E0

Function 02A34237 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 157a60bf5a3a3263ccc414eb4ffee1d8d4f2b01c73244ec6ef28b912bfb33dcd
Instruction ID: 30b3e93b15c3da670b64440159d3b76ad65898beed1ac5a3327b5ec9c1a2e1b2
Opcode Fuzzy Hash: 157a60bf5a3a3263ccc414eb4ffee1d8d4f2b01c73244ec6ef28b912bfb33dcd
Instruction Fuzzy Hash: 0EF055332002001BE719A77AF841BFF7B46EBC0220F88062DF4018B600DE74AD0647D8

Function 02A36388 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f10ad71a22cba1d06cdfcba03e2d83ad5390f103729afbbbac38c1c27084b1
Instruction ID: 03f9b0d555e2e7a3f3be56b431510d3f93ee334f5823b624253dd12f305a9750
Opcode Fuzzy Hash: b2f10ad71a22cba1d06cdfcba03e2d83ad5390f103729afbbbac38c1c27084b1
Instruction Fuzzy Hash: 7BF05475E10209EFCF44EFB8E95669D7BF1EFA9204F504199D405E7340EA305F059B91

Function 02A32D92 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d282a7df0323866a670034808cba2d3d231896b046995cfc6b64dece5207dd66
Instruction ID: cc148d89f7333252741817e3b0101d2bc5e97cc671cf286a23c8ba144fe8b2c4
Opcode Fuzzy Hash: d282a7df0323866a670034808cba2d3d231896b046995cfc6b64dece5207dd66
Instruction Fuzzy Hash: 63F01C71E101189FCB84EFBCD5456DE7BF5EF49214B51407AE519E3300EB709E118B91

Function 02A36398 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df98813c8a560e547fcad909b7beadd43e365b9e702edcd19cb58f384da16df8
Instruction ID: 94a7f1899ae1a326192b84ae3d5d4557aa409c88dca062d8ae38b8627e641ca9
Opcode Fuzzy Hash: df98813c8a560e547fcad909b7beadd43e365b9e702edcd19cb58f384da16df8
Instruction Fuzzy Hash: 52F08C30E1020AEF8B04EFB8E98295DBBB1EF98200F5041A9A808E7240EE305E049B81

Function 02A31FF8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 237f5870e5e384ece42e98ab97da37f952626e484c146707715f0aef9f8a83c0
Instruction ID: d6de1af412832e351acfc2ab84741b292c3c42bc6d91107d5ef39ec5f8f56085
Opcode Fuzzy Hash: 237f5870e5e384ece42e98ab97da37f952626e484c146707715f0aef9f8a83c0
Instruction Fuzzy Hash: 1EE086363501204FC7055679E469ADE7BDDDFC9622B040466F506CB360DD79DD0286A0

Function 02A32DA0 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97c09cbee82d89a4cc3b20137359e14ec6d15537bebf50697b15ce69a46a9206
Instruction ID: 7260a29d629972e911af7c959ee412d7d5312fd73945bb435845d1ab51d028c2
Opcode Fuzzy Hash: 97c09cbee82d89a4cc3b20137359e14ec6d15537bebf50697b15ce69a46a9206
Instruction Fuzzy Hash: F7E0E571E20118DF8B88EFBCD5056DE7BF5EF49214B6180AAE619E7310EB709E018B91

Function 02A337EE Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e93307e42cbe5a6612549ad8da25262f2eb226b0c817eddfaa5f41e6ff10972
Instruction ID: 3ad0ca5c00e61d7ada508e12517ec198cefd0485861c57bf043dd4bbb0865c02
Opcode Fuzzy Hash: 9e93307e42cbe5a6612549ad8da25262f2eb226b0c817eddfaa5f41e6ff10972
Instruction Fuzzy Hash: 55D02E32B10210A7EB149BA9B900AFB338FABC8221B084826FA08C3604DFA588021390

Function 02A32008 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43338b313e72e8c7f8740c4f6af2f6c794d2f5d68fd5a73f807a5f593a840237
Instruction ID: 423368d179a12df34cdfbde00cb205f0dceb8c793f1836d5fb3d79cb00e4d614
Opcode Fuzzy Hash: 43338b313e72e8c7f8740c4f6af2f6c794d2f5d68fd5a73f807a5f593a840237
Instruction Fuzzy Hash: 88D012357502544FCB045A7DD41885E7BD9DFC96223010466F506C7320DD75DC0187A0

Function 02A366C8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5596e3aa5e6ef41ff9adfbf0b124ed279d2b317ca8b5e95a7fa3f3a28304f47
Instruction ID: c24e68bd38db54a3553678bfd8373017b98c86ea45616f0004092b2940aafcc1
Opcode Fuzzy Hash: e5596e3aa5e6ef41ff9adfbf0b124ed279d2b317ca8b5e95a7fa3f3a28304f47
Instruction Fuzzy Hash: 77D05E31B203204BD744172CB45566E26E9EBC9621B19413BF501C7200EF240C02D340

Function 02A36469 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998a9dcf577fc626aaee6b83b82ed9b3b7fdc0773a28b21f224a94a6cb615991
Instruction ID: f52cc403b53dcf7b60978d4089eb5a540ba70d2384835f580b09713a10643795
Opcode Fuzzy Hash: 998a9dcf577fc626aaee6b83b82ed9b3b7fdc0773a28b21f224a94a6cb615991
Instruction Fuzzy Hash: 5AD05EB56143008FC3059B28E4928293BF6FB8C31470144E9E508C7366EE24EC02CA56

Function 02A3CFFE Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32352c521365040d9600921eff90d71cf700c351b5c749d05a7e436bbca42c1f
Instruction ID: d567396c8e89d5e36b36b79c41a25a9804cd15c5956f563a0d6d989f28271298
Opcode Fuzzy Hash: 32352c521365040d9600921eff90d71cf700c351b5c749d05a7e436bbca42c1f
Instruction Fuzzy Hash: 42D0A73C415201C7FF22071291593783D617F81319F14C02DB80B46688CFFE8087DE10

Function 02A36478 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccba011f6f9746055e264d5ca5fe86f33c98890771543bd5352f688af26646d3
Instruction ID: 4719191d0a87bf6a8dff6e5bd15104fd3022c5da4fc16b134fdb76b1daf906b4
Opcode Fuzzy Hash: ccba011f6f9746055e264d5ca5fe86f33c98890771543bd5352f688af26646d3
Instruction Fuzzy Hash: 7BC012343402048F8208EB6CE08682933EAFBCC70431040A8EA09CB32ADE20EC42CA99

Function 02A35640 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7075e48c581dfb405a0923c7915510b915644084c40b1f4f02e62479971d255a
Instruction ID: 0ef57793a97ec1422833b6972dceccbf0f8d46fa1b35b06214c61a1e40b5fcd9
Opcode Fuzzy Hash: 7075e48c581dfb405a0923c7915510b915644084c40b1f4f02e62479971d255a
Instruction Fuzzy Hash: 5CB02B306102099796011619EC094113B1DEB401183440194FC0800100AF23D4110080

Function 02A3CAA0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3564273273.0000000002A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_2a30000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 628f9e5c16316b3d542141a7d4bff7018f278baae9c95b7b997dc27566eded70
Instruction ID: c5fd330d49ace20d77bd32ecdb01669b4e6910009623ecbc085c9f5938ca44c0
Opcode Fuzzy Hash: 628f9e5c16316b3d542141a7d4bff7018f278baae9c95b7b997dc27566eded70
Instruction Fuzzy Hash: 63B092B79A02404AEE428B72AD8A34837A0BB11612F080110F004856A4D6A80203860E

Non-executed Functions

Function 6088C220 Relevance: 88.6, APIs: 12, Strings: 38, Instructions: 1110processCOMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 6088C4FE
OpenProcess.KERNEL32(001F0FFF,00000001,00000000), ref: 6088C50C
GetStdHandle.KERNEL32(000000F6), ref: 6088C96F
GetStdHandle.KERNEL32(000000F5), ref: 6088C977
GetStdHandle.KERNEL32(000000F4), ref: 6088C97F
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000001,00000000,00000000,00000000,?,?), ref: 6088CABB
CloseHandle.KERNEL32(?), ref: 6088CACD
CloseHandle.KERNEL32(?), ref: 6088CAEF
__Init_thread_header.LIBCMT ref: 6088CB92
GetLastError.KERNEL32 ref: 6088CC83

Strings

__len == 0 || __s != nullptr, xrefs: 6088D055
__loc != nullptr, xrefs: 6088D092
vector[] index out of bounds, xrefs: 6088D03A
InitializeProcThreadAttributeList, xrefs: 6088CFA4
__n < size(), xrefs: 6088D03F
::DeleteProcThreadAttributeList, xrefs: 6088CBA5
kernel32.dll, xrefs: 6088CBAA, 6088D1F8, 6088D245
node shouldn't be null, xrefs: 6088D077
::UpdateProcThreadAttribute, xrefs: 6088D1F3
rundll32.exe, xrefs: 6088D0D6
CreateProcess, xrefs: 6088CC61
D, xrefs: 6088CA45
UpdateProcThreadAttribute, xrefs: 6088CFE9
attachment, xrefs: 6088C5E1
..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc, xrefs: 6088C648, 6088CC4E, 6088CCB6, 6088CF91, 6088CFD6, 6088D11B, 6088D15E, 6088D1A1
..\..\third_party\libc++\src\include\__tree, xrefs: 6088D086
null pointer given to construct_at, xrefs: 6088D01F
__location != nullptr, xrefs: 6088D024
..\..\third_party\libc++\src\include\string_view, xrefs: 6088D05F
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 6088D02B
--initial-client-data=, xrefs: 6088C84E
url, xrefs: 6088C76E
..\..\third_party\libc++\src\include\vector, xrefs: 6088D049
__x != nullptr, xrefs: 6088D07C
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6088D066
OpenProcess, xrefs: 6088C65B
__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6088D06B
null pointer given to destroy_at, xrefs: 6088D08D
InitializeProcThreadAttributeList (size) succeeded, expected failure, xrefs: 6088D12E
InitializeProcThreadAttributeList (size), xrefs: 6088CCC9
database, xrefs: 6088C6EB
annotation, xrefs: 6088C373
metrics-dir, xrefs: 6088C682
::InitializeProcThreadAttributeList, xrefs: 6088D240
CloseHandle thread, xrefs: 6088D171
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6088D050
%s:%d: assertion %s failed: %s, xrefs: 6088D030
CloseHandle process, xrefs: 6088D1B4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Handle$Process$Close$CreateCurrentErrorInit_thread_headerLastOpen
String ID: %s:%d: assertion %s failed: %s$--initial-client-data=$..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\__tree$..\..\third_party\libc++\src\include\string_view$..\..\third_party\libc++\src\include\vector$::DeleteProcThreadAttributeList$::InitializeProcThreadAttributeList$::UpdateProcThreadAttribute$CloseHandle process$CloseHandle thread$CreateProcess$D$InitializeProcThreadAttributeList$InitializeProcThreadAttributeList (size)$InitializeProcThreadAttributeList (size) succeeded, expected failure$OpenProcess$UpdateProcThreadAttribute$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__loc != nullptr$__location != nullptr$__n < size()$__x != nullptr$annotation$attachment$database$kernel32.dll$metrics-dir$node shouldn't be null$null pointer given to construct_at$null pointer given to destroy_at$rundll32.exe$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr$url$vector[] index out of bounds
API String ID: 524609849-521758903
Opcode ID: bef42c0174b83c48c8b9bf9c867ea46213d218d750885f8f393592a93c4bcafe
Instruction ID: 2c2569930c6f585c32da90c0aea594c65831cbebdd932883b193925e05dde3c5
Opcode Fuzzy Hash: bef42c0174b83c48c8b9bf9c867ea46213d218d750885f8f393592a93c4bcafe
Instruction Fuzzy Hash: A992D7B15083519BD721CB24CC41B6A7BE6EFA5708F004E2DF989A7396EB31E944CB52

Function 60890970 Relevance: 56.9, APIs: 14, Strings: 18, Instructions: 931libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(shell32.dll,60886CAA,FFFDCFBD), ref: 60890A25
GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathW), ref: 60890A40
LoadLibraryW.KERNEL32(advapi32.dll,00000000,?,?,?,?), ref: 60890E0E
GetProcAddress.KERNEL32(00000000,GetUserNameW), ref: 60890E24
LoadLibraryW.KERNEL32(wtsapi32.dll), ref: 60890ED9
GetProcAddress.KERNEL32(00000000,WTSQuerySessionInformationW), ref: 60890EF0
LoadLibraryW.KERNEL32(wtsapi32.dll), ref: 60890F07
GetProcAddress.KERNEL32(00000000,WTSFreeMemory), ref: 60890F1C
FreeLibrary.KERNEL32(00000000), ref: 60890FDA
FreeLibrary.KERNEL32(?), ref: 60890FEB
FreeLibrary.KERNEL32(00000000), ref: 60890FFF
FreeLibrary.KERNEL32(?), ref: 60891010
GetComputerNameExW.KERNEL32(00000005,00000000,?), ref: 60891607
GetComputerNameExW.KERNEL32(00000005,00000000,?), ref: 60891633

Strings

WTSQuerySessionInformationW, xrefs: 60890EEA
SHGetSpecialFolderPathW, xrefs: 60890A3A
shell32.dll, xrefs: 60890A20
string::front(): string is empty, xrefs: 60891565
!empty(), xrefs: 60891559, 6089156A
__s < __min_cap, xrefs: 60891519
GetUserNameW, xrefs: 60890E1E
string index out of bounds, xrefs: 60891543
string::back(): string is empty, xrefs: 60891554
__pos <= size(), xrefs: 60891548
wtsapi32.dll, xrefs: 60890ED4, 60890F02
__s != nullptr, xrefs: 6089152A
..\..\third_party\libc++\src\include\string, xrefs: 60891534
WTSFreeMemory, xrefs: 60890F16
__s should never be greater than or equal to the short string capacity, xrefs: 60891514
string::find(): received nullptr, xrefs: 60891525
advapi32.dll, xrefs: 60890E09
%s:%d: assertion %s failed: %s, xrefs: 60891539

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Library$AddressFreeLoadProc$ComputerName
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$GetUserNameW$SHGetSpecialFolderPathW$WTSFreeMemory$WTSQuerySessionInformationW$__pos <= size()$__s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$advapi32.dll$shell32.dll$string index out of bounds$string::back(): string is empty$string::find(): received nullptr$string::front(): string is empty$wtsapi32.dll
API String ID: 1411496036-850507284
Opcode ID: 58c14ce181e22c8914359e700373edf2a33ce4d967fa593e3a83f4c661f59489
Instruction ID: f77c34458a40d014b50242d0b98fda02d350560a13ad37560271a3936e6c14dd
Opcode Fuzzy Hash: 58c14ce181e22c8914359e700373edf2a33ce4d967fa593e3a83f4c661f59489
Instruction Fuzzy Hash: BE820671D042299FCF25EF5CC888699BBB6EF65314F048AD9D819A7291D770AEC4CF80

Function 6088AFB0 Relevance: 49.9, APIs: 3, Strings: 25, Instructions: 852COMMON

Download Yara Rule

APIs

Part of subcall function 60889030: __Init_thread_header.LIBCMT ref: 60889056

GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?,?), ref: 6088B3B0
_strlen.LIBCMT ref: 6088B430
_strlen.LIBCMT ref: 6088B916

Strings

__len == 0 || __s != nullptr, xrefs: 6088AF7F, 6088BB68
__loc != nullptr, xrefs: 6088BB29
/prefetch:7, xrefs: 6088B5EE
product, xrefs: 6088AAF5
--type=, xrefs: 6088B420
--user-data-dir=, xrefs: 6088B518
--monitor-self, xrefs: 6088B787
special, xrefs: 6088ADBE
version, xrefs: 6088ABDF
crashpad-handler, xrefs: 6088B42A, 6088B42F, 6088B43B, 6088B910, 6088B915, 6088B921
null pointer given to construct_at, xrefs: 6088BB3F
__location != nullptr, xrefs: 6088BB44
..\..\third_party\libc++\src\include\string_view, xrefs: 6088AF9A, 6088BB5C
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 6088BB30
win32, xrefs: 6088AE59
CHROME_CRASHPAD_PIPE_NAME, xrefs: 6088B018, 6088BADD
platform, xrefs: 6088AE6B
--monitor-self-annotation=ptype=, xrefs: 6088B906
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6088AF8B, 6088BB4D
__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6088AF90, 6088BB52
null pointer given to destroy_at, xrefs: 6088BB24
--monitor-self-argument=, xrefs: 6088B867
channel, xrefs: 6088ACD0
%s:%d: assertion %s failed: %s, xrefs: 6088AF9F, 6088BB35
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6088AF7A, 6088BB63

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen$FileInit_thread_headerModuleName
String ID: %s:%d: assertion %s failed: %s$--monitor-self$--monitor-self-annotation=ptype=$--monitor-self-argument=$--type=$--user-data-dir=$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\string_view$/prefetch:7$CHROME_CRASHPAD_PIPE_NAME$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__loc != nullptr$__location != nullptr$channel$crashpad-handler$null pointer given to construct_at$null pointer given to destroy_at$platform$product$special$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr$version$win32
API String ID: 2217292231-1038166415
Opcode ID: a5417600d55197d5df8ca58c2217a5e3407ea1cce46b7c91eaa49b99c50445a7
Instruction ID: 1d783aa0aa66065b482be0f2f8c177d881320de5776054611034ea999664bada
Opcode Fuzzy Hash: a5417600d55197d5df8ca58c2217a5e3407ea1cce46b7c91eaa49b99c50445a7
Instruction Fuzzy Hash: CC72B1B1D052298BDF25DF28CC89B9ABBB5EFA5304F1049E9E40DA7251DB309E85CF50

Function 608841C0 Relevance: 37.4, APIs: 9, Strings: 12, Instructions: 645nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 60884236
NtClose.NTDLL ref: 6088423F
RtlInitUnicodeString.NTDLL(?,?), ref: 6088467F
NtCreateKey.NTDLL ref: 608846BC
NtClose.NTDLL ref: 608846F0
NtClose.NTDLL ref: 60884724
RtlInitUnicodeString.NTDLL(00000002,?), ref: 608847CE
NtCreateKey.NTDLL ref: 60884801
NtDeleteKey.NTDLL(?), ref: 60884874

Strings

null pointer given to destroy_at, xrefs: 6088492A
null pointer given to construct_at, xrefs: 60884917
__location != nullptr, xrefs: 6088491C
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 60884923
__loc != nullptr, xrefs: 6088492F
vector[] index out of bounds, xrefs: 608848E8
__n < size(), xrefs: 608848ED
!empty(), xrefs: 608848FE
\BLBeacon, xrefs: 608841C4
back() called on an empty vector, xrefs: 608848F9
..\..\third_party\libc++\src\include\vector, xrefs: 60884908
%s:%d: assertion %s failed: %s, xrefs: 6088490D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Close$CreateInitStringUnicode$Delete
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\vector$\BLBeacon$__loc != nullptr$__location != nullptr$__n < size()$back() called on an empty vector$null pointer given to construct_at$null pointer given to destroy_at$vector[] index out of bounds
API String ID: 2261198623-4100931080
Opcode ID: 56a9ec274215f503ef7c128f8cf749f797edb258a1f5c47e45a75d7fdc32335b
Instruction ID: ea0967c3257fe42723d64d359a96813eeed64b292bf96e93ba3bbe9d0af78c24
Opcode Fuzzy Hash: 56a9ec274215f503ef7c128f8cf749f797edb258a1f5c47e45a75d7fdc32335b
Instruction Fuzzy Hash: 8232D5B2D042299FDF15CFE8C880ADEBBBAEFA5304F145929E815BB245D7709D45CB80

Function 60874F30 Relevance: 36.4, APIs: 1, Strings: 23, Instructions: 410memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,?,00003000,00000004,?), ref: 60875384

Strings

LowLevelAlloc arithmetic overflow, xrefs: 608754B4
reinterpret_cast<char *>(prev) + prev->header.size < reinterpret_cast<char *>(next), xrefs: 608754F4
unordered freelist, xrefs: 60875446
new_pages != nullptr, xrefs: 6087548D
prev < next, xrefs: 6087544B
next->header.magic == Magic(kMagicUnallocated, &next->header), xrefs: 60875432
s->header.arena == arena, xrefs: 60875461
malformed freelist, xrefs: 608754EF
f->header.arena == arena, xrefs: 60875133
next->header.arena == arena, xrefs: 608754DE
i < prev->levels, xrefs: 608754A3
bad arena pointer in AddToFreelist(), xrefs: 6087512E
bad magic number in Next(), xrefs: 6087542D
block not big enough for even one level, xrefs: 60875144, 60875472
f->header.magic == Magic(kMagicAllocated, &f->header), xrefs: 6087511D
VirtualAlloc failed, xrefs: 60875488
low_level_alloc.cc, xrefs: 60875158, 608754C8
too few levels in Next(), xrefs: 6087549E
Check %s failed: %s, xrefs: 60875122, 60875138, 6087514E, 60875437, 60875450, 60875466, 6087547C, 60875492, 608754A8, 608754BE, 608754E3, 608754F9
sum >= a, xrefs: 608754B9
bad magic number in AddToFreelist(), xrefs: 60875118
bad arena pointer in Next(), xrefs: 608754D9
level >= 1, xrefs: 60875149, 60875477

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AllocVirtual
String ID: Check %s failed: %s$LowLevelAlloc arithmetic overflow$VirtualAlloc failed$bad arena pointer in AddToFreelist()$bad arena pointer in Next()$bad magic number in AddToFreelist()$bad magic number in Next()$block not big enough for even one level$f->header.arena == arena$f->header.magic == Magic(kMagicAllocated, &f->header)$i < prev->levels$level >= 1$low_level_alloc.cc$malformed freelist$new_pages != nullptr$next->header.arena == arena$next->header.magic == Magic(kMagicUnallocated, &next->header)$prev < next$reinterpret_cast<char *>(prev) + prev->header.size < reinterpret_cast<char *>(next)$s->header.arena == arena$sum >= a$too few levels in Next()$unordered freelist
API String ID: 4275171209-1419311098
Opcode ID: 142c5ec1ad2b1ac4292501d193af079456557e131683750e5167343671835887
Instruction ID: ebd77943e88a8f92f6d089055bcd1bef1274e55ef5258dae872d08774ce4d814
Opcode Fuzzy Hash: 142c5ec1ad2b1ac4292501d193af079456557e131683750e5167343671835887
Instruction Fuzzy Hash: B9F1A371E003599FEB20CF15C880B5DB7B2FBE5304F21C9A9D449AB245DBB1AD85CB91

Function 608D1490 Relevance: 30.4, APIs: 4, Strings: 13, Instructions: 657COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608D14EF

Strings

__s2 < __s1 || __s2 >= __s1+__n, xrefs: 608D1A05
null pointer given to construct_at, xrefs: 608D1C96
__location != nullptr, xrefs: 608D1C9B
..\..\third_party\libc++\src\include\string_view, xrefs: 608D1C87
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608D1CA2
3333, xrefs: 608D1AAD
..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 608D1A0F
char_traits::copy overlapped range, xrefs: 608D1A00
null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608D1C78
3333, xrefs: 608D159A
__s != nullptr, xrefs: 608D1C7D
3333, xrefs: 608D18E1
%s:%d: assertion %s failed: %s, xrefs: 608D1A14, 608D1C8C, 608D1CA7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string_view$3333$3333$3333$__location != nullptr$__s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$char_traits::copy overlapped range$null pointer given to construct_at$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-2267693326
Opcode ID: 328ce9d6d3b7d99a66f3458c7ceed51a823a40993115d87f09b83c6c3e5f8c3d
Instruction ID: e1c27326dd757588055d645725fdb4b8797be71dbea05ebcb0580bb0d42ea0eb
Opcode Fuzzy Hash: 328ce9d6d3b7d99a66f3458c7ceed51a823a40993115d87f09b83c6c3e5f8c3d
Instruction Fuzzy Hash: BF32B271F14618ABCF05CF69C89169DBBB3EFA9314B148B29E456A7390EB31EC41CB50

Function 608D2A90 Relevance: 30.3, APIs: 4, Strings: 13, Instructions: 574COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 608D30D7
__Init_thread_header.LIBCMT ref: 608D3117
__Init_thread_header.LIBCMT ref: 608D3157
__Init_thread_header.LIBCMT ref: 608D3197

Strings

__len == 0 || __s != nullptr, xrefs: 608D31F0
SampleVector-range_max, xrefs: 608D316E
..\..\third_party\libc++\src\include\string_view, xrefs: 608D31E1
vector[] index out of bounds, xrefs: 608D2BD7, 608D30B4
__n < size(), xrefs: 608D2BDC, 608D30B9
SampleVector-max, xrefs: 608D30EE
..\..\third_party\libc++\src\include\vector, xrefs: 608D2BE6, 608D30C3
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608D31D2
__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608D31D7
SampleVector-min, xrefs: 608D31AE
SampleVector-range_min, xrefs: 608D312E
%s:%d: assertion %s failed: %s, xrefs: 608D2BEB, 608D30C8
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608D31EB

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$..\..\third_party\libc++\src\include\vector$SampleVector-max$SampleVector-min$SampleVector-range_max$SampleVector-range_min$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__n < size()$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr$vector[] index out of bounds
API String ID: 3738618077-148731821
Opcode ID: 2c7837a3b2d95054f80457dd157312e32eb7c55a4e4936b696cb22a1602b518a
Instruction ID: c7e3f80bfe9de25f332440e650b6b2cd226dfd018ea886ff9eea7a9e39783f63
Opcode Fuzzy Hash: 2c7837a3b2d95054f80457dd157312e32eb7c55a4e4936b696cb22a1602b518a
Instruction Fuzzy Hash: 0222D5716082019FCB14DF28C891A5EBBB2EFAA314F044E2DF94667391DB35ED05DB52

Function 608B52B0 Relevance: 25.3, APIs: 13, Strings: 1, Instructions: 794COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000041,?,?,?,?,?,-00000048,00000001,?,608B52A1,?,-00000048,60947074,-00000048,?), ref: 608B549A
ReleaseSRWLockExclusive.KERNEL32(00000041,?,?,?,?,?,-00000048,00000001,?,608B52A1,?,-00000048,60947074,-00000048,?), ref: 608B54CC

Strings

first, xrefs: 608B5B19, 608B5CB4, 608B5CD3, 608B5D26, 608B5D6B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: 21e8bd941b2ccd8c21b911f154c57328d010e31680d7e181cc6ab8f7c1da2377
Instruction ID: ba2df592b921878dd37550dbc4411befb5251c72d5a988c32c31741a454a0769
Opcode Fuzzy Hash: 21e8bd941b2ccd8c21b911f154c57328d010e31680d7e181cc6ab8f7c1da2377
Instruction Fuzzy Hash: B26224716047019FD709CF28C894B6ABBE2FFA9314F18892CE9999B391D775EC45CB80

Function 608BECB0 Relevance: 25.1, APIs: 6, Strings: 8, Instructions: 626COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(60986D60), ref: 608BF089
_strlen.LIBCMT ref: 608BF173
ReleaseSRWLockExclusive.KERNEL32(60986D60,?,00000000,?,00000000,?,?,?), ref: 608BF1B8
TryAcquireSRWLockExclusive.KERNEL32(60986D5C), ref: 608BF288

Part of subcall function 60924150: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 60924180
Part of subcall function 60924150: ReleaseSRWLockExclusive.KERNEL32(?), ref: 609241FD

ReleaseSRWLockExclusive.KERNEL32(60986D5C,?,?,?,00000000,00000000), ref: 608BF36C
__Init_thread_header.LIBCMT ref: 608BF40F

Strings

..\..\base\trace_event\trace_log.cc, xrefs: 608BF3F2
__s != nullptr, xrefs: 608BF3A5
..\..\third_party\libc++\src\include\string, xrefs: 608BF255
3333, xrefs: 608BF0B3
__s should never be greater than or equal to the short string capacity, xrefs: 608BF246
__s < __min_cap, xrefs: 608BF24B
%s:%d: assertion %s failed: %s, xrefs: 608BF25A
string::assign received nullptr, xrefs: 608BF3A0

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease$Init_thread_header_strlen
String ID: %s:%d: assertion %s failed: %s$..\..\base\trace_event\trace_log.cc$..\..\third_party\libc++\src\include\string$3333$__s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$string::assign received nullptr
API String ID: 2712113889-2693286896
Opcode ID: bf4eb0393c82b5329eac17eca60f8e65fe5c5ab838d777fc9e0b76403fe58824
Instruction ID: 5fbf08daf1eceb4a60b64ca58359e3631298457e6b569f134b4ef41472118956
Opcode Fuzzy Hash: bf4eb0393c82b5329eac17eca60f8e65fe5c5ab838d777fc9e0b76403fe58824
Instruction Fuzzy Hash: 62426875A487459FC711CF28C880A5ABBE2FBAA314F004E2DF8959B392D770D945CB52

Function 60872700 Relevance: 25.1, APIs: 5, Strings: 9, Instructions: 569COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60872903
GetCurrentProcess.KERNEL32 ref: 60872DA0
GetCurrentProcess.KERNEL32 ref: 60872DA4
DuplicateHandle.KERNEL32(00000000,00000064,00000000,00000000,00000000,00000000,00000002), ref: 60872DB3
CloseHandle.KERNEL32(00000000), ref: 60872DE9

Strings

null pointer given to destroy_at, xrefs: 60872D3C
vector::erase(first, last) called with invalid range, xrefs: 60872D26
null pointer given to construct_at, xrefs: 60872D57
__location != nullptr, xrefs: 60872D5C
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 60872D48
__loc != nullptr, xrefs: 60872D41
..\..\third_party\libc++\src\include\vector, xrefs: 60872D35
__first <= __last, xrefs: 60872D2B
%s:%d: assertion %s failed: %s, xrefs: 60872D4D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentHandleProcess$CloseDuplicateInit_thread_header
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\vector$__first <= __last$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at$vector::erase(first, last) called with invalid range
API String ID: 2744010882-679676335
Opcode ID: d5c20d1aeaf4f49b3212ee0e2453a9ad5618ff5155180fe5ff87eff70736326a
Instruction ID: 5157e5cab8266bcdd0f296e61a85b8792bd1ca628b4cb486a9b0692beddcb612
Opcode Fuzzy Hash: d5c20d1aeaf4f49b3212ee0e2453a9ad5618ff5155180fe5ff87eff70736326a
Instruction Fuzzy Hash: A432AC71E002198FCB25CF6CC880A9DFBB2FF69314F158A6AE815AB355D735AD41CB90

Function 608BE830 Relevance: 24.9, APIs: 5, Strings: 9, Instructions: 386COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608BE888
_strlen.LIBCMT ref: 608BE8C4
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,7FFFFFFF,?), ref: 608BEA00
_strlen.LIBCMT ref: 608BEAFE
ReleaseSRWLockExclusive.KERNEL32(?,?,00000000,?,00000000,?,00000000,?,?), ref: 608BEB3D

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608BE916
..\..\third_party\libc++\src\include\string_view, xrefs: 608BE925
3333, xrefs: 608BEA38
__s != nullptr, xrefs: 608BE91B, 608BEBB1
..\..\third_party\libc++\src\include\string, xrefs: 608BEB9D
__s should never be greater than or equal to the short string capacity, xrefs: 608BEB8E
__s < __min_cap, xrefs: 608BEB93
%s:%d: assertion %s failed: %s, xrefs: 608BE92A, 608BEBA2
string::assign received nullptr, xrefs: 608BEBAC

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen$ExclusiveLock$AcquireRelease
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$3333$__s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$null pointer passed to non-null argument of char_traits<...>::length$string::assign received nullptr
API String ID: 3829107669-3629339309
Opcode ID: 9cb863c19dd2aa380f7876d194ca5069767fbfe7cce49d340e41c0a6a6689696
Instruction ID: 85f401b4ca40855993ce6905a00212dd0e385177fb63ba9d77013553dd036108
Opcode Fuzzy Hash: 9cb863c19dd2aa380f7876d194ca5069767fbfe7cce49d340e41c0a6a6689696
Instruction Fuzzy Hash: C2D1B571E04209AFDB04CF68C881AAEBBF6FFA5314F148869E855A7341E730ED55CB61

Function 608BE130 Relevance: 18.2, APIs: 12, Instructions: 162threadtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 608BE6C0: GetCurrentThread.KERNEL32 ref: 608BE6C7

QueryThreadCycleTime.KERNEL32(00000000,00000000), ref: 608BE170
GetCurrentThread.KERNEL32 ref: 608BE1F7
GetThreadPriority.KERNEL32(00000000), ref: 608BE1FA
GetCurrentThread.KERNEL32 ref: 608BE204
SetThreadPriority.KERNEL32(00000000,00000002), ref: 608BE209
QueryPerformanceCounter.KERNEL32(?), ref: 608BE267
GetCurrentThread.KERNEL32 ref: 608BE276
SetThreadPriority.KERNEL32(00000000,?), ref: 608BE281
QueryPerformanceFrequency.KERNEL32(?), ref: 608BE28F
__Init_thread_header.LIBCMT ref: 608BE2F3
__Init_thread_header.LIBCMT ref: 608BE371
QueryPerformanceCounter.KERNEL32(?), ref: 608BE392

Part of subcall function 608DCFDD: EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
Part of subcall function 608DCFDD: LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
Part of subcall function 608DCFDD: WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Thread$CurrentQuery$PerformancePriority$CounterCriticalInit_thread_headerSection$ConditionCycleEnterFrequencyLeaveTimeVariableWake
String ID:
API String ID: 1831388462-0
Opcode ID: 89b15167f456eef7bf4e092babfc92957bb89abbd53671717e612d19403f666b
Instruction ID: 007f2dac0408ce00e5bbb38f4553a1117ba39c63d6625dae21b9b230b056d550
Opcode Fuzzy Hash: 89b15167f456eef7bf4e092babfc92957bb89abbd53671717e612d19403f666b
Instruction Fuzzy Hash: 57614B719286059FC702DF39C85551ABFB6FF9A340F108B2AF895A7361EB31A441DB42

Function 608D8860 Relevance: 18.0, APIs: 6, Strings: 4, Instructions: 465COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000), ref: 608D8A78

Strings

!empty(), xrefs: 608D8B70
..\..\third_party\libc++\src\include\vector, xrefs: 608D8B7A
%s:%d: assertion %s failed: %s, xrefs: 608D8B7F
front() called on an empty vector, xrefs: 608D8B6B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AcquireExclusiveLock
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\vector$front() called on an empty vector
API String ID: 4021432409-3908935617
Opcode ID: bc77c8876d20fa8deadda88ef024d7d1b00078fc3a2105f840bb30ea50dc5806
Instruction ID: 2acf57fbf86e330f0b3460112ae336addcfce509bc7add0c3d67062c46df43dd
Opcode Fuzzy Hash: bc77c8876d20fa8deadda88ef024d7d1b00078fc3a2105f840bb30ea50dc5806
Instruction Fuzzy Hash: 45F10471A1470AEFC708DF28C88095ABBB2FFA5304F505E2DE4859B790DB70E855CB92

Function 6089C6C0 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 288COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6089C7EF
_strlen.LIBCMT ref: 6089C988

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6089C77B
__len == 0 || __s != nullptr, xrefs: 6089C76A
..\..\third_party\libc++\src\include\string_view, xrefs: 6089C785
GenuineIntel, xrefs: 6089C716
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6089C765
%s:%d: assertion %s failed: %s, xrefs: 6089C78A
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6089C776

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$GenuineIntel$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 4218353326-1163444730
Opcode ID: e704d89319f9afc48020e41cc9777a6f0fe980437bb1cb2d5d17690243c74e0e
Instruction ID: e27a59b4ca4eec1e485940e719d1b481f8275b7d66b8f046252d4cd6df733f91
Opcode Fuzzy Hash: e704d89319f9afc48020e41cc9777a6f0fe980437bb1cb2d5d17690243c74e0e
Instruction Fuzzy Hash: 94A1B2B2E047499FD714CFAD888069ABBF1EF69314F10892DE489EB342D735E945CB50

Function 608A1470 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 239fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(FFFFFFFF,?,?,00000000,?,?,00000000,?,00000000), ref: 608A15B3
GetLastError.KERNEL32 ref: 608A15C3
SetLastError.KERNEL32(00000000), ref: 608A15E7
GetLastError.KERNEL32 ref: 608A163B
GetLastError.KERNEL32 ref: 608A164F
SetLastError.KERNEL32(00000057,?,00000000), ref: 608A169D

Strings

%08x-%04x-%04x-%04x-%012llx, xrefs: 608A171E
DoInitialize, xrefs: 608A14BB
..\..\base\files\file_win.cc, xrefs: 608A14B6

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$CreateFile
String ID: %08x-%04x-%04x-%04x-%012llx$..\..\base\files\file_win.cc$DoInitialize
API String ID: 1722934493-3930919753
Opcode ID: 89c7773e167882e4fc55a114e244c48f5abbb5cde0d7fc667a4a9e692e53f7a6
Instruction ID: c7fe397bc7d80eeae3b2c861195f69da8a98dfdbb374f9cae79093ebbfa57287
Opcode Fuzzy Hash: 89c7773e167882e4fc55a114e244c48f5abbb5cde0d7fc667a4a9e692e53f7a6
Instruction Fuzzy Hash: 377138B2E106056BEB00CF29CC4176ABBA2FFE5354F058928F88AA7681D7749D44C791

Function 608C40B0 Relevance: 14.6, APIs: 4, Strings: 4, Instructions: 557COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 608C4147
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 608C42A4
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 608C42B9
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 608C440B

Strings

null pointer given to destroy_at, xrefs: 608C4690
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608C469C
__loc != nullptr, xrefs: 608C4695
%s:%d: assertion %s failed: %s, xrefs: 608C46A1

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire__allrem
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$__loc != nullptr$null pointer given to destroy_at
API String ID: 4070440243-3634482660
Opcode ID: 7c546313793bb62c4b3d165e9597ad618ef2853fe1fd2fdb482131995899a825
Instruction ID: 3b195ab9bdb5d947be70d1727a41776300e65b728da45328086a663a8c47e64b
Opcode Fuzzy Hash: 7c546313793bb62c4b3d165e9597ad618ef2853fe1fd2fdb482131995899a825
Instruction Fuzzy Hash: 9E128271E001198FDB14CFA8C881BAEBBB2EFA9314F254929E915B7350D731DD858B92

Function 608B8840 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 380COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 608B8B0E
__floor_pentium4.LIBCMT ref: 608B8BE4

Strings

3333, xrefs: 608B8C20
null pointer given to construct_at, xrefs: 608B8C81
__location != nullptr, xrefs: 608B8C86
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608B8C8D
3333, xrefs: 608B88FB
%s:%d: assertion %s failed: %s, xrefs: 608B8C92

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$3333$3333$__location != nullptr$null pointer given to construct_at
API String ID: 4168288129-1753457639
Opcode ID: 8afc5cb6657ce0ccf6a20f2067661b4bc1115d17dab945238149ed39f7352478
Instruction ID: 94640ae3b8a25f059186cfadc689a6cd1439ee22183e624189dc72b28ac26e5b
Opcode Fuzzy Hash: 8afc5cb6657ce0ccf6a20f2067661b4bc1115d17dab945238149ed39f7352478
Instruction Fuzzy Hash: 6DD11471B1451ACFCB09CE39C89116EBBB3EFA63507188A2AD812EB341E771DC41CB91

Function 608C2490 Relevance: 14.4, APIs: 2, Strings: 6, Instructions: 354COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 608C25CC
__floor_pentium4.LIBCMT ref: 608C2727

Strings

null pointer given to construct_at, xrefs: 608C2876
__location != nullptr, xrefs: 608C287B
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608C2882
3333, xrefs: 608C27C5
%s:%d: assertion %s failed: %s, xrefs: 608C2887
3333, xrefs: 608C276C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$3333$3333$__location != nullptr$null pointer given to construct_at
API String ID: 4168288129-1753457639
Opcode ID: 59299580cbcebac7d67bb0540c912cb22d1b525a7447b7160a1f276c00f96633
Instruction ID: 8f9c8ed97bf39e35f670f277cdacadce9b81df8680170cb1dca55148cec24558
Opcode Fuzzy Hash: 59299580cbcebac7d67bb0540c912cb22d1b525a7447b7160a1f276c00f96633
Instruction Fuzzy Hash: F7C11771B146198FCB09CF38C89166EB7B2EFB63147249A29D406EB391E735DC41CB62

Function 60892EE0 Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 286COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 60892F82

Strings

null pointer given to construct_at, xrefs: 60893221
__location != nullptr, xrefs: 60893226
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 6089322D
3333, xrefs: 60893054
3333, xrefs: 608931BD
%s:%d: assertion %s failed: %s, xrefs: 60893232

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$3333$3333$__location != nullptr$null pointer given to construct_at
API String ID: 4168288129-1753457639
Opcode ID: 8e6a51c1c6a162c9872b57df7ab03708bf375940d3fe673412768ae0f9d3c9ad
Instruction ID: 287a8f3def5dfb459abdda603c8e2c40c5d5dda8f79d95bec6e1b285124c5133
Opcode Fuzzy Hash: 8e6a51c1c6a162c9872b57df7ab03708bf375940d3fe673412768ae0f9d3c9ad
Instruction Fuzzy Hash: A4A1F971B14A098FCB05EE6DC88156EF7B2FFA63147148A29E41AE7250E731EC85CB91

Function 60932A70 Relevance: 12.6, APIs: 8, Instructions: 612COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 60932B87
__aullrem.LIBCMT ref: 60932B96
__aulldiv.LIBCMT ref: 60932BE1
__aullrem.LIBCMT ref: 60932BF6
__aullrem.LIBCMT ref: 60932C8A
__aulldiv.LIBCMT ref: 60932C9D
__aullrem.LIBCMT ref: 60932CAD
__aulldiv.LIBCMT ref: 60932CC1

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: 01579bcdc865aac6b5788d877c3d785859840cc7b170474a401a4ce1e591d071
Instruction ID: a8678904ea4fd5c3a3a2efa2cd1c61c5e5f76b5508ebb2094fda897b07097c3f
Opcode Fuzzy Hash: 01579bcdc865aac6b5788d877c3d785859840cc7b170474a401a4ce1e591d071
Instruction Fuzzy Hash: C6221B35B0411A8FCB19CE6CC89069ABBF6EF99300F198269E955EB355D734DD02CBE0

Function 608BD2E0 Relevance: 11.6, Strings: 9, Instructions: 390COMMON

Download Yara Rule

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608BD681
__len == 0 || __s != nullptr, xrefs: 608BD670
..\..\third_party\libc++\src\include\string_view, xrefs: 608BD68B
..\..\third_party\libc++\src\include\string, xrefs: 608BD734
__s should never be greater than or equal to the short string capacity, xrefs: 608BD725
__s < __min_cap, xrefs: 608BD72A
%s:%d: assertion %s failed: %s, xrefs: 608BD690, 608BD739
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608BD66B
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608BD67C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 0-1627334700
Opcode ID: 98fa4841c8b0501867b7c4ab6350aa0ea99135d506a440557b17b419777cc5c2
Instruction ID: 577f60a695435e3f9acbf973af0d547837e65fadc4b432ca5fae79c730f62d96
Opcode Fuzzy Hash: 98fa4841c8b0501867b7c4ab6350aa0ea99135d506a440557b17b419777cc5c2
Instruction Fuzzy Hash: 94D13A71A04319AFCF14CE58C4906ED7BE2EFA9314F148939E856A7385EB34EC41CB95

Function 608BCE70 Relevance: 11.6, Strings: 9, Instructions: 373COMMON

Download Yara Rule

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608BD2A0
__len == 0 || __s != nullptr, xrefs: 608BD28F
..\..\third_party\libc++\src\include\string_view, xrefs: 608BD2AA
..\..\third_party\libc++\src\include\string, xrefs: 608BD2C8
__s should never be greater than or equal to the short string capacity, xrefs: 608BD2B9
__s < __min_cap, xrefs: 608BD2BE
%s:%d: assertion %s failed: %s, xrefs: 608BD2AF, 608BD2CD
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608BD28A
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608BD29B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 0-1627334700
Opcode ID: 3f485e3d68cfb439c38607599be3df9a6218e60c01107f3d0c11c93077a41ff4
Instruction ID: d7955d4fcf84d8c83ad1f1c93970be7e23efa4d3dfcb7e714274fa4247baa1bf
Opcode Fuzzy Hash: 3f485e3d68cfb439c38607599be3df9a6218e60c01107f3d0c11c93077a41ff4
Instruction Fuzzy Hash: D9D14D71A006199BDF14CF68C8506ADBBB3FF69314F148D6AE856A7381EB34ED01C791

Function 608D65A0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 395COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608D66B3
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608D6765

Part of subcall function 608D96C0: TryAcquireSRWLockExclusive.KERNEL32(?,00000000), ref: 608D96E2

Strings

null pointer given to destroy_at, xrefs: 608D6AC5
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608D6AD1
__loc != nullptr, xrefs: 608D6ACA
%s:%d: assertion %s failed: %s, xrefs: 608D6AD6

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$__loc != nullptr$null pointer given to destroy_at
API String ID: 1678258262-3634482660
Opcode ID: 07c3dbfdb01a63f55902deeacfbcc28c3ddf0b573e93f10b5033ba648427437f
Instruction ID: 2903c09c11bd11a69fb14a5fc899af883beaef33a8ed9f2a8fa9585b7ac21d1d
Opcode Fuzzy Hash: 07c3dbfdb01a63f55902deeacfbcc28c3ddf0b573e93f10b5033ba648427437f
Instruction Fuzzy Hash: BDE1D071E0425C9BDB01DBA8C4507AEBB72EFA5318F204B19E8556B3C2DB30AD56CB81

Function 608D6BA0 Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 354COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608D6C3E
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608D6CB1

Strings

null pointer given to destroy_at, xrefs: 608D706E
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608D707A
__loc != nullptr, xrefs: 608D7073
%s:%d: assertion %s failed: %s, xrefs: 608D707F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$__loc != nullptr$null pointer given to destroy_at
API String ID: 17069307-3634482660
Opcode ID: 6465197546e9fe8b9928087b41d2e49bc5cd902e82d304b48bd0574cd14caac6
Instruction ID: 604d7105667664c623045ec3e5db20437537cf79cb77304c7b9af346a9f8865c
Opcode Fuzzy Hash: 6465197546e9fe8b9928087b41d2e49bc5cd902e82d304b48bd0574cd14caac6
Instruction Fuzzy Hash: 83D1A1716087488BD715DF28C44072ABBA2EFA6714F244F5DE8968B3C1DB31EC56CB92

Function 608C61B0 Relevance: 9.3, APIs: 3, Strings: 2, Instructions: 580COMMON

Download Yara Rule

Strings

ProcessPrng, xrefs: 608C622D
bcryptprimitives.dll, xrefs: 608C621E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLastOnce$ExecuteInitValue
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2797425889-2667675608
Opcode ID: a1b16f0f60791f414062569b19275e0a396fc5bd2fec1b6eb0067fb73e21314c
Instruction ID: 4a43a12343002c70af0b2ee81a73fb9bfeb9da3d10149d328e52e448a14257d5
Opcode Fuzzy Hash: a1b16f0f60791f414062569b19275e0a396fc5bd2fec1b6eb0067fb73e21314c
Instruction Fuzzy Hash: 0D32AC719187448BD725CB28D845BEBBBE5EFAA304F104D2DE9D9C7241EB70D984CB82

Function 6089C7A0 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6089C7EF
_strlen.LIBCMT ref: 6089C988

Strings

t Hv, xrefs: 6089C9FD
osof, xrefs: 6089C9F5
Micr, xrefs: 6089C9ED

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: Micr$osof$t Hv
API String ID: 4218353326-2053847325
Opcode ID: 586c21c06c3ce9e51c16d43a2e43f3a3f9caf84be4b81e037de13f09f50dbb16
Instruction ID: f5b0efef3e7f18a67587d440f8c1d19edfb5eefd449736fd0febc8e9efdd1d71
Opcode Fuzzy Hash: 586c21c06c3ce9e51c16d43a2e43f3a3f9caf84be4b81e037de13f09f50dbb16
Instruction Fuzzy Hash: 6B71B0B1E047899FDB14CF69848039EBFF0EF69304F108A2ED48A9B742D735A949CB51

Function 609265D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32(00001200,00000000,6092679F,00000000,?,00000100,00000000), ref: 60926610
GetLastError.KERNEL32 ref: 6092661A
_strlen.LIBCMT ref: 60926660

Strings

Error (0x%lX) while retrieving error. (0x%lX), xrefs: 60926622
(0x%lX), xrefs: 60926651

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFormatLastMessage_strlen
String ID: (0x%lX)$Error (0x%lX) while retrieving error. (0x%lX)
API String ID: 2706427827-3206765257
Opcode ID: f96bc95c8a30383b45758caa81a35f1567a302be9fa441872d1881d18675f45d
Instruction ID: 2c4a2d27ce8b41b5aeed53ca7fc3812420b02b96860807a23797bb2ad268f814
Opcode Fuzzy Hash: f96bc95c8a30383b45758caa81a35f1567a302be9fa441872d1881d18675f45d
Instruction Fuzzy Hash: 0731F6B1D0022C6FEB15DB24DC42AEB7B79EF56748F0444A8F948A7241EB309E44CAA1

Function 608FEF17 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,608FE8CD,00000002,00000000,?,?,?,608FE8CD,?,00000000), ref: 608FEFB0
GetLocaleInfoW.KERNEL32(?,20001004,608FE8CD,00000002,00000000,?,?,?,608FE8CD,?,00000000), ref: 608FEFD9
GetACP.KERNEL32(?,?,608FE8CD,?,00000000), ref: 608FEFEE

Strings

OCP, xrefs: 608FEF6B
ACP, xrefs: 608FEF35

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: e03278a458d6940f7efd066887d5dc1874c8c70e02f5804fcf7323f67d00a4a8
Instruction ID: 5fd3eb0a92f8a11086c1b3c25c7ab2a6645cb23128c246dd00a53eb75f2a285e
Opcode Fuzzy Hash: e03278a458d6940f7efd066887d5dc1874c8c70e02f5804fcf7323f67d00a4a8
Instruction Fuzzy Hash: 8921A43261910DABE725CF38CD04A8B7AA7EB65B90B524CA4F815D7140FF32ED42C350

Function 60889410 Relevance: 8.3, Strings: 6, Instructions: 785COMMON

Download Yara Rule

Strings

__first != __end, xrefs: 60889905, 60889923, 60889A20, 60889BC8
__last != __begin, xrefs: 608898F4, 60889934, 60889A0C, 60889BB4
Would read out of bounds, does your comparator satisfy the strict-weak ordering requirement?, xrefs: 608898EF, 60889900, 6088991E, 6088992F, 60889A07, 60889A1B, 60889BAF, 60889BC3, 6088A151
..\..\third_party\libc++\src\include\__algorithm\sort.h, xrefs: 6088990F
__k != __leftmost, xrefs: 6088A156
%s:%d: assertion %s failed: %s, xrefs: 60889914

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__algorithm\sort.h$Would read out of bounds, does your comparator satisfy the strict-weak ordering requirement?$__first != __end$__k != __leftmost$__last != __begin
API String ID: 0-3249051884
Opcode ID: d207d452e5d9f8e632afcdf009caaf3f1c5c1a1e533dd4a284e80d72d326f08e
Instruction ID: 04494ab48f62cf3cc43678885e49a0c0a4e5a962dbbc39706197c2feab827af1
Opcode Fuzzy Hash: d207d452e5d9f8e632afcdf009caaf3f1c5c1a1e533dd4a284e80d72d326f08e
Instruction Fuzzy Hash: 4F621B719087859BD315CF2CC881A6AF7E5FFE5314F044E2DE9C897241EB71A989CB82

Function 608FE797 Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

GetUserDefaultLCID.KERNEL32(-00000002,00000000,?,00000055,?), ref: 608FE89F
IsValidCodePage.KERNEL32(00000000), ref: 608FE8DD
IsValidLocale.KERNEL32(?,00000001), ref: 608FE8F0
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 608FE938
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 608FE953

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
String ID:
API String ID: 415426439-0
Opcode ID: 1a1b8709b78c8d6a6cc76266014d53fe515b191386e5deeb19b7e8f1ff204a4a
Instruction ID: c5d312496d5428dc49bc261951424c10dc34cf25d3864cd2efbef099fa2606fb
Opcode Fuzzy Hash: 1a1b8709b78c8d6a6cc76266014d53fe515b191386e5deeb19b7e8f1ff204a4a
Instruction Fuzzy Hash: 76518071A1020DABEF10DFB9CC81AAA7BB9EF65784F104829F910E7150E7B0D906CB61

Function 608BCBD0 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 608BCC25
GetVersionExW.KERNEL32(?), ref: 608BCC5B
GetProductInfo.KERNEL32(?,?,00000000,00000000,?), ref: 608BCC72
__Init_thread_header.LIBCMT ref: 608BCCCE

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

GetNativeSystemInfo.KERNEL32(60986C48), ref: 608BCCFF

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalInfoInit_thread_headerSection$EnterLeaveNativeProductSystemVersion
String ID:
API String ID: 4213586224-0
Opcode ID: b8ac08526b886fd801ad8c0bff3e5e5cc38fd7e2c5fe7a91395c3a680301d10c
Instruction ID: ce8e29470d18ab49c523f9eba172ffa08a2f1cf09d0a7db5bb82451b1db0cf8d
Opcode Fuzzy Hash: b8ac08526b886fd801ad8c0bff3e5e5cc38fd7e2c5fe7a91395c3a680301d10c
Instruction Fuzzy Hash: 8D310971824114DBDB10CB1ACD96A9A7F72FBA7314F000E1DE6C86F391DB316894DB91

Function 608A88A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608A88AF
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608A898A
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608A8A23

Strings

3333, xrefs: 608A8909

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: 3333
API String ID: 1021914862-2924271548
Opcode ID: 5b18306457e4f4b4cba18c79e85d33bdfd9b8f07dd66d2474544ce3833bdfbaf
Instruction ID: b294ec0be5f89b0cdf8a211d7c0b38aae9f0d74a263f9411d5bd7d156ee67e88
Opcode Fuzzy Hash: 5b18306457e4f4b4cba18c79e85d33bdfd9b8f07dd66d2474544ce3833bdfbaf
Instruction Fuzzy Hash: 1561D131B14159CBCB18CF28CC8596A7BB7FBA5310718892AE806DBB51E770ED51C7E2

Function 6092F490 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 6092F4D5

Strings

Not a directory , xrefs: 6092F62E
FindFirstFileEx , xrefs: 6092F56A
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092F558, 6092F61C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileFindFirst
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$FindFirstFileEx $Not a directory
API String ID: 1974802433-2933623126
Opcode ID: 3c839a6e02a6a82eca224458c314645629ba587c05b6fcf5d6c0d5436bc3837d
Instruction ID: 0a8b072644fd5db6b3df545535b5fbf612dadad876dcbf218f7523a59b76cc60
Opcode Fuzzy Hash: 3c839a6e02a6a82eca224458c314645629ba587c05b6fcf5d6c0d5436bc3837d
Instruction Fuzzy Hash: 685136719502286BDB218B14EC56FAA777ADF3570CF0004B8F80967296DB35EF488B61

Function 6092EA80 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106COMMON

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000001,?,00000000,00000000,00000002,?,6094EE8A,00000001), ref: 6092EB42

Strings

..\..\third_party\crashpad\crashpad\util\file\directory_reader_win.cc, xrefs: 6092EAE4, 6092EB97
Empty directory path, xrefs: 6092EAF6
FindFirstFile, xrefs: 6092EBA9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileFindFirst
String ID: ..\..\third_party\crashpad\crashpad\util\file\directory_reader_win.cc$Empty directory path$FindFirstFile
API String ID: 1974802433-415219540
Opcode ID: a631d12d3b5e153ae4bb6b206ca385859bf073207cf2d2666494940609acc4d4
Instruction ID: 4e3b2f61806a91f7a47553fe0cbe5460c0278e645f43cd5853b34a4e5a532112
Opcode Fuzzy Hash: a631d12d3b5e153ae4bb6b206ca385859bf073207cf2d2666494940609acc4d4
Instruction Fuzzy Hash: BD313830A503185AEB109735AC46F6F776BEB7130CF00042DF90AAB2C5EB75ED0486A2

Function 608E6C40 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f31c37b3e8e5c194816885a30c5c5bb30560397ef29e66f6cdcd95a9b34bf89
Instruction ID: b860ea18367ed8d10c79dc27b924312c3665328ae63974e6cb6f9ce670bf8cd0
Opcode Fuzzy Hash: 9f31c37b3e8e5c194816885a30c5c5bb30560397ef29e66f6cdcd95a9b34bf89
Instruction Fuzzy Hash: 81027A71E002199BDB14CFA9D88069EFBB1FF59354F248669E919E7381D731AE02CB90

Function 608A40D0 Relevance: 6.4, Strings: 5, Instructions: 188COMMON

Download Yara Rule

Strings

null pointer given to construct_at, xrefs: 608A418C
__location != nullptr, xrefs: 608A4191
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608A4198
OPENSSL_ia32cap, xrefs: 608AA4C3
%s:%d: assertion %s failed: %s, xrefs: 608A419D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$OPENSSL_ia32cap$__location != nullptr$null pointer given to construct_at
API String ID: 0-1029541090
Opcode ID: 4f9164b86643f8460ced0999f2b7630bf2e7cc2d5f0b0b0ef5a6dfb5d3c84014
Instruction ID: 0a43b0749dd468ba1b95012afb7d3cf063b2a13161cfb4aa05cab52259a9a883
Opcode Fuzzy Hash: 4f9164b86643f8460ced0999f2b7630bf2e7cc2d5f0b0b0ef5a6dfb5d3c84014
Instruction Fuzzy Hash: 39514772E082149FCF08CF29C881A1ABFA6EBE9314F258979E919DB740DB71DC41C791

Function 60933100 Relevance: 6.4, APIs: 4, Instructions: 389COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 60933118
__aulldiv.LIBCMT ref: 60933129
__aullrem.LIBCMT ref: 60933137
__aulldiv.LIBCMT ref: 6093314A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID:
API String ID: 3839614884-0
Opcode ID: d3346fd644f094e34e30b082163566b17ee0221ab523d52cc74c9f858caff3e4
Instruction ID: 2b8184d6ec1c2c20cb1ece8285dfa8ee268de646dd75c2b9202608e8b18d3b0e
Opcode Fuzzy Hash: d3346fd644f094e34e30b082163566b17ee0221ab523d52cc74c9f858caff3e4
Instruction Fuzzy Hash: F1D115357045168FCB19CE6CC891AA5BBE6EF99300B19C26DE818CF366D631ED05CBD0

Function 608FF3F7 Relevance: 6.2, APIs: 4, Instructions: 205COMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 608FF4E7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 18e0bad7c135dc87cc540f9b71128dd5ebf755fd41c6d03926064acf78843736
Instruction ID: 8597f4d335e0e061b744a6c35a5a68bd7056296d259371adcb177ac2d5524cbf
Opcode Fuzzy Hash: 18e0bad7c135dc87cc540f9b71128dd5ebf755fd41c6d03926064acf78843736
Instruction Fuzzy Hash: F171F37184511C5FDF11DF388C99AAABBB9EF35344F1045D9E018A7212EB358E86DF14

Function 608FEA90 Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 608FEAE4
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 608FEB2E
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 608FEBF4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InfoLocale$ErrorLast
String ID:
API String ID: 661929714-0
Opcode ID: 711d61fa0ebdc3691a4af87d3f5a14e70c86a49b09dbf4f2923eae99f8efc8b4
Instruction ID: f6ce71d68f450c1232b30ded1fb722e2c97e190da855164bf73352d52d3a112f
Opcode Fuzzy Hash: 711d61fa0ebdc3691a4af87d3f5a14e70c86a49b09dbf4f2923eae99f8efc8b4
Instruction Fuzzy Hash: C861C17151421F9BEB19CF38CC82B6A7BB9EF14394F10496AE815D7280F734D982DB50

Function 60923120 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(6088B07C,?,?,?,?,?,?,?,?,?,?,00000000,?,6088B07C,?,CHROME_CRASHPAD_PIPE_NAME), ref: 6092314E

Part of subcall function 6089C2B0: VerSetConditionMask.KERNEL32 ref: 6089C2F7
Part of subcall function 6089C2B0: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 6089C303
Part of subcall function 6089C2B0: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 6089C30A
Part of subcall function 6089C2B0: VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 6089C32E
Part of subcall function 6089C2B0: __Init_thread_header.LIBCMT ref: 6089C35E

Part of subcall function 6089B6D0: CreateFileW.KERNEL32 ref: 6089B71B
Part of subcall function 6089B6D0: SetNamedPipeHandleState.KERNEL32(00000000,?,00000000,00000000), ref: 6089B73A
Part of subcall function 6089B6D0: TransactNamedPipe.KERNEL32(00000000,?,00000024,6088CB59,0000000C,?,00000000), ref: 6089B759

SetUnhandledExceptionFilter.KERNEL32(Function_000C3510,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 609231CA
AddVectoredExceptionHandler.KERNEL32(00000001,6088D3C0,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 609231D7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ConditionMask$ExceptionNamedPipe$CreateCurrentFileFilterHandleHandlerInfoInit_thread_headerProcessStateTransactUnhandledVectoredVerifyVersion
String ID:
API String ID: 671956201-0
Opcode ID: 4fa79490d2b18180790e0d24aa42cfbbfceae910b255bcfdad7ddf5800d198d1
Instruction ID: 4b55054c671bcd207bca86e4ebca417a259f39e6db05234e14d8ce941773fd31
Opcode Fuzzy Hash: 4fa79490d2b18180790e0d24aa42cfbbfceae910b255bcfdad7ddf5800d198d1
Instruction Fuzzy Hash: 94316BF1D202049FDF00DF69EC46A5A7FB6FF65208B008826F848AF352E771A914CB91

Function 60925490 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 60925668

Strings

3333, xrefs: 609254CB

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID: 3333
API String ID: 4168288129-2924271548
Opcode ID: d235f3fc6507214673a83fc1bc4f8a54bdc4eba1180853b4718facf4a06033de
Instruction ID: 7230b1dcfdad332ea0e2c5d1ca88c8cf046c51a6878da28dc6321a9b529ecedf
Opcode Fuzzy Hash: d235f3fc6507214673a83fc1bc4f8a54bdc4eba1180853b4718facf4a06033de
Instruction Fuzzy Hash: 6B816F71E2460A8FCB05CE69D880999F7B7BFA9310764C22AE815B7318D735EC51CB90

Function 6092C960 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 6092CB33

Strings

3333, xrefs: 6092C99A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID: 3333
API String ID: 4168288129-2924271548
Opcode ID: 12eb22c2e47a5454faee3fe893a983c0e19a1a0323030ff598422fcaab38040d
Instruction ID: d4ab8b6e27a021cea0d59a6453fe615159e1c030cd1b8c37d00c7ba28fb4e2d1
Opcode Fuzzy Hash: 12eb22c2e47a5454faee3fe893a983c0e19a1a0323030ff598422fcaab38040d
Instruction Fuzzy Hash: C781A1B1F1461A8FCB04CE69D88166EB7B7BFA93107188A29D815F7308D731ED41CB91

Function 608DB2E0 Relevance: 3.7, APIs: 2, Instructions: 677COMMON

Download Yara Rule

APIs

Part of subcall function 608D5BA0: TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608D5C2D

__Init_thread_header.LIBCMT ref: 608DB9BA
__Init_thread_header.LIBCMT ref: 608DBA50

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header$AcquireExclusiveLock
String ID:
API String ID: 3087591752-0
Opcode ID: aaa31caad242b91859f49fc5029c54487f1ecc9f669b4549d39fc27abd17c627
Instruction ID: e91fd2c3d1514a44076de51d01b69cf2874af4d272fa3d93aef8ef186ded583f
Opcode Fuzzy Hash: aaa31caad242b91859f49fc5029c54487f1ecc9f669b4549d39fc27abd17c627
Instruction Fuzzy Hash: 01526871904B448FC714DF29C491716BBE2FFA9318F148E2DE89A87B91EB74E449CB42

Function 608AA370 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158COMMON

Download Yara Rule

Strings

OPENSSL_ia32cap, xrefs: 608AA4C3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Once$ExecuteInit
String ID: OPENSSL_ia32cap
API String ID: 689400697-399759565
Opcode ID: b8f8397e0efa7055e5a315a3944bd3ec721b1baa529b1134720bc299d2e0d5f0
Instruction ID: 4fc9ac73ba653234f2b71cd8b9bd4493f7d20bbb3b73d5d473f8d38e331a1ee7
Opcode Fuzzy Hash: b8f8397e0efa7055e5a315a3944bd3ec721b1baa529b1134720bc299d2e0d5f0
Instruction Fuzzy Hash: 39415733F1D21507DF14CA799C4636EBA97EBE6324F24893AE825E7F80DA74CC018295

Function 608DADE0 Relevance: 3.2, APIs: 2, Instructions: 236COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 608DAFBB

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

__Init_thread_header.LIBCMT ref: 608DAFF8

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalInit_thread_headerSection$EnterLeave
String ID:
API String ID: 3100837274-0
Opcode ID: 8acf3b7b57d9fef552f1996e1e055fbd462d85415a9bb632f90d5cf671f7aeda
Instruction ID: 3facf364c429ff559b5d58dc9a1199473592085c59e493b4249ad9711867bf56
Opcode Fuzzy Hash: 8acf3b7b57d9fef552f1996e1e055fbd462d85415a9bb632f90d5cf671f7aeda
Instruction Fuzzy Hash: 59915E72A087048BC714DF38C49071BBBE2EBDA760F558F2DE8A997390DB7098458B52

Function 608A8610 Relevance: 3.2, APIs: 2, Instructions: 185COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,608A8DC0,608A8E30,?,?,?,?,?,?,?,?,?,?,?,608A85A7,?), ref: 608A869C
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,608A85A7,?,608A82E0,?), ref: 608A87F1

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: 1995bef4a98c08533c86e984813ff1fba233036e2dd14a9c58841e477ddbb4d2
Instruction ID: b62544d12f73692878fcb3d572c531e33e2a0398251559a81fe14dc5fe650864
Opcode Fuzzy Hash: 1995bef4a98c08533c86e984813ff1fba233036e2dd14a9c58841e477ddbb4d2
Instruction Fuzzy Hash: 7061D0B1E10219DFDB04DFA8C880A9EBBB5FF69304B100929E405AB741DB70ED55CBE1

Function 608CF2E0 Relevance: 3.2, APIs: 2, Instructions: 157synchronizationCOMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 608CF3A7
WaitForSingleObject.KERNEL32(?,FFFFFFFF), ref: 608CF3DA

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ObjectSingleWait__aulldiv
String ID:
API String ID: 4220739757-0
Opcode ID: b7e11f01af84220a06aa7649051bb33ecf1daa28da173b6ea00a5d7e52807379
Instruction ID: 2359d35a8d8a1bf323f712bb7b01f68926bcd74a35d1b28684bf891ffe493a6f
Opcode Fuzzy Hash: b7e11f01af84220a06aa7649051bb33ecf1daa28da173b6ea00a5d7e52807379
Instruction Fuzzy Hash: B0419172B483055BD708CE7CC89175BB6E6EBE5720F294B3EE4A9C73D1DA70D8088652

Function 60874D80 Relevance: 3.1, APIs: 2, Instructions: 95COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?,00000000), ref: 60874DC7
GetSystemInfo.KERNEL32(?,00000000), ref: 60874E89

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InfoSystem
String ID:
API String ID: 31276548-0
Opcode ID: 9f854b66b5e19da84814511bee81377761c1f6ab7f00c64048192435550c8302
Instruction ID: 81bebc351f4af74e54f8ca1e5f3afee23af4e84a93d5c7b5f0ecc5509e6efa29
Opcode Fuzzy Hash: 9f854b66b5e19da84814511bee81377761c1f6ab7f00c64048192435550c8302
Instruction Fuzzy Hash: 97410EB3D397A18ADB04CF25CE40575BFA6FBDF600B10535AE485A2361EBB449C0EB80

Function 608A6790 Relevance: 2.0, APIs: 1, Instructions: 498COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 608A6855

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __floor_pentium4
String ID:
API String ID: 4168288129-0
Opcode ID: 9dd3ab40a3db7fd7ef4c939c6cc4f0242eff1864c059f0a20b2308bb67736515
Instruction ID: d3204bc2ec2e8a8e4eb0bd883597224c919d6bda0b108e9caece562a86866faa
Opcode Fuzzy Hash: 9dd3ab40a3db7fd7ef4c939c6cc4f0242eff1864c059f0a20b2308bb67736515
Instruction Fuzzy Hash: BF02D0726083059FC724CF28C851A9FBBE9EFE9314F044D1CF98997645DB30AA15CBA2

Function 6090427A Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,-000000A8,?,?,-00000078,-00000084,60903D75,-00000104,-00000058,?,?,-00000068,-00000060,00000000), ref: 609044A7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 906dba4c41b9458f40064267b8d4cec380fe5811daad6cc182892fa2da9d0e1d
Instruction ID: 1777168e97155c3c748ecc0673fa9d7c166c751b2b451ad71f280e4f5be58f09
Opcode Fuzzy Hash: 906dba4c41b9458f40064267b8d4cec380fe5811daad6cc182892fa2da9d0e1d
Instruction Fuzzy Hash: C0B128B16106089FD705CF28C586B557BE2FF65364F25869CE8AACF2A1C335E991CF40

Function 608FF346 Relevance: 1.7, APIs: 1, Instructions: 199fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 608FF4E7
FindNextFileW.KERNEL32(00000000,?), ref: 608FF5DB
FindClose.KERNEL32(00000000), ref: 608FF61A
FindClose.KERNEL32(00000000), ref: 608FF64D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 9c1fea4883ee71f7641b28cee5e7e876f51a07c3acfa98e377b117f4db50452e
Instruction ID: a80ad9f5097ffb430c30129c39cc83294af8e8522c9d20eaa244e253b86b5ed4
Opcode Fuzzy Hash: 9c1fea4883ee71f7641b28cee5e7e876f51a07c3acfa98e377b117f4db50452e
Instruction Fuzzy Hash: E751257294411C6FDB04CF3C8C91AAE7BAADFB5288F104999F41997302EB309D42DB64

Function 608E4397 Relevance: 1.6, Strings: 1, Instructions: 385COMMON

Download Yara Rule

Strings

0, xrefs: 608E4528

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 55a1b8cb74a5fe3cd9163c65143af9e7040ce2f083f6a473af07d81daa8b9544
Instruction ID: 0fbf68a781771fb3b0209e78835480ba4c2d50a84fc90bff3d180c11475c13d7
Opcode Fuzzy Hash: 55a1b8cb74a5fe3cd9163c65143af9e7040ce2f083f6a473af07d81daa8b9544
Instruction Fuzzy Hash: 3CD1E47060560A8FDB14CF6AC480B6ABBB1FFA7318F106E19D56E9B690D730AD41CB54

Function 60901085 Relevance: 1.6, APIs: 1, Instructions: 116timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000), ref: 609010F7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InformationTimeZone
String ID:
API String ID: 565725191-0
Opcode ID: 20723915d1d9c7aefac9eec855bbc4401f4f680d0a682ce1d7abfc32db6c0aad
Instruction ID: 44b149ab7d1ed8ee8c8c27928da1b755fff3be0ebcd67c0d2759c52fbf4152fe
Opcode Fuzzy Hash: 20723915d1d9c7aefac9eec855bbc4401f4f680d0a682ce1d7abfc32db6c0aad
Instruction Fuzzy Hash: EB31D572914225ABCF15DFAACC0294E7F7AEF27758F10445AF915A72A0DB30DD40DB90

Function 608FED50 Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 608FEDA4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 432d4cad4bfdb7fadf47ae64b7e0d7558b5eecf3d996e436963ebd429bf083a7
Instruction ID: f4a01af03364994dca1951fc38c86410bed034ae290f1bb487b491ce95112e2c
Opcode Fuzzy Hash: 432d4cad4bfdb7fadf47ae64b7e0d7558b5eecf3d996e436963ebd429bf083a7
Instruction Fuzzy Hash: 8821F23261421EABDB19DB38DC42AAA37A8EF65354F10447AF905D7141FB74ED42CB50

Function 608E2E8A Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

0, xrefs: 608E300E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6e6f941ffacae608b34364d239cc6d82e4499e731bf8febe52e355f7643725f1
Instruction ID: 0f5733a04d0323a192ac2e8c754bcb98694e640f74af2ec462be209b297b37e5
Opcode Fuzzy Hash: 6e6f941ffacae608b34364d239cc6d82e4499e731bf8febe52e355f7643725f1
Instruction Fuzzy Hash: 1CB1E970904A0B9BCB25CF6AC555AAEBFB1EF23304F100E1DE562A76A1CB35DE41CB51

Function 608FE9E8 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

EnumSystemLocalesW.KERNEL32(608FEA90,00000001,00000000,?,-00000050,?,608FE873,00000000,-00000002,00000000,?,00000055,?), ref: 608FEA5A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: c1f6b31d6b2aa3fbd913a5d96ae0ab369cbecae42eb930179d36ffa8cdc3b59c
Instruction ID: 89d957f46379fadf2c077be357b6a89e68041fe9124375c31da641cedbe906ac
Opcode Fuzzy Hash: c1f6b31d6b2aa3fbd913a5d96ae0ab369cbecae42eb930179d36ffa8cdc3b59c
Instruction Fuzzy Hash: 0F11E9362047095FDB18DF79C89156ABBA2FF903A8B14482DE54787740E771B943C740

Function 608FEE70 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 608FEEC4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 8dc7b26e4ff4604265b3f2eabd5d65661480ac45ce9552e88076b00ee7d74ec6
Instruction ID: b1bf8727def6613674f69d682c056fd26358bc4660b01feb719de9c5d05b4b60
Opcode Fuzzy Hash: 8dc7b26e4ff4604265b3f2eabd5d65661480ac45ce9552e88076b00ee7d74ec6
Instruction Fuzzy Hash: 5B11323261021AABDB18DF3CDC02AAA7BE8EF15364B20457AE505D7280EF38EC02C750

Function 60930400 Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

0, xrefs: 609307BA

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: e948e3ea53fb0c5fd05286d14feb887f96ba4db8d8fa666f5328f6b3743a6774
Instruction ID: 5a6d207581c98fc1de8d66e5a3b30f5d8ef492af98907b698f0e9406096259fc
Opcode Fuzzy Hash: e948e3ea53fb0c5fd05286d14feb887f96ba4db8d8fa666f5328f6b3743a6774
Instruction Fuzzy Hash: 9CD1B071D18FD687E7179B3D88432A6F3A1BFEA254F10D71AECD036651EB70A2818781

Function 608FF01D Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,608FECAC,00000000,00000000,?), ref: 608FF049

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: f6787f3203270ca0fcbd03b716ecd55f5c9822d2220b731755a8d0fe618189d5
Instruction ID: a87ce6f410c476f7e4d97821e0842ce7369391a4364f8044585b6b6f3995e0f0
Opcode Fuzzy Hash: f6787f3203270ca0fcbd03b716ecd55f5c9822d2220b731755a8d0fe618189d5
Instruction Fuzzy Hash: 6D01D0326905196BDB18C67488057AA3B94DFA0394F214C28EC55E3142DF70FD43C6D0

Function 6090E1E0 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6090E243

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 885266447-0
Opcode ID: 71f7d3d11f2cfba70c354c1f305d2d28506cb2115752a8d02b72b876d8631e93
Instruction ID: d318b22a942ed64af7fe1a237d3d838db06a3b485581a1beea1bd41194fd857e
Opcode Fuzzy Hash: 71f7d3d11f2cfba70c354c1f305d2d28506cb2115752a8d02b72b876d8631e93
Instruction Fuzzy Hash: 8F014CB69007059FD710DF58DD45B5ABBF4FB49700F10882DE98AE3740D734A800CB90

Function 608FECE3 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

EnumSystemLocalesW.KERNEL32(608FED50,00000001,00000000,?,-00000050,?,608FE83B,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?), ref: 608FED2D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 4031a96c7bf66d4989dab07da14fbd30f01d57bd15ab7c52200e4cbffda1ace1
Instruction ID: 09c0167202879449490ccdd76fb350c91cb3689fa7d648f6666f4493bea7c47f
Opcode Fuzzy Hash: 4031a96c7bf66d4989dab07da14fbd30f01d57bd15ab7c52200e4cbffda1ace1
Instruction Fuzzy Hash: FBF0C23620430C5FD7159F799881A6A7F92EF813A8B15882CF9454BA50E671AC03CB50

Function 608FA9CD Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 608FAAD1: EnterCriticalSection.KERNEL32(-000C3321,?,608EB859,00000000), ref: 608FAAE0

EnumSystemLocalesW.KERNEL32(608FA9C0,00000001,60959800,0000000C,608FA331,-00000050), ref: 608FAA05

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 286c8d64f52bdee3d7f5a2e702e0f5ccda3862aa3f4cb7aad48a2bb8b39d235c
Instruction ID: 7d8647d3f7b51b752123bc169dba69dd9cf29e7727048ac2e7fdc7c671241fc7
Opcode Fuzzy Hash: 286c8d64f52bdee3d7f5a2e702e0f5ccda3862aa3f4cb7aad48a2bb8b39d235c
Instruction Fuzzy Hash: B6F087B6A14214EFDB00CFA9C901B987FB1EB5A324F10442AE411EB2A0DB754A09DB50

Function 608FEE25 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 608F9B3A: GetLastError.KERNEL32(FD0333F8,FD0333E8,608FDDD2,609598C0,0000000C,608FA1D4,FD0333F4,6090E542,608E229D,00000000,FD0333F4,?,56609572,FD0333E8,8D609450,FD0333E8), ref: 608F9B3E
Part of subcall function 608F9B3A: SetLastError.KERNEL32(00000000), ref: 608F9BE0

EnumSystemLocalesW.KERNEL32(608FEE70,00000001,00000000,?,?,608FE895,-00000050,-00000002,00000000,?,00000055,?,-00000050,?,?,?), ref: 608FEE5C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: d5170c3bbe621b658c64a2598148093dd4a9832477d993f2a383c23a44bc93e9
Instruction ID: f66843aa6b87b820d051c7c47af06fa9acf36dc7fc73839b46af4c4717a3e7b8
Opcode Fuzzy Hash: d5170c3bbe621b658c64a2598148093dd4a9832477d993f2a383c23a44bc93e9
Instruction Fuzzy Hash: 4AF02B363042095BCB05DF3AE855A6ABFA5EFC27A4F064458EA09CB250E6319C43C790

Function 608FA48C Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,00000000,?,608ED863,?,20001004,00000000,00000002,?,?,608EC774), ref: 608FA4C0

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 0868337db7b254af26af1e25dd295dd1a92eafdcb047425ea82d9a928fb84694
Instruction ID: 2222d9420f64b116bf6df45eda2b723bc398e350d00ac7d64498561d299e8a2f
Opcode Fuzzy Hash: 0868337db7b254af26af1e25dd295dd1a92eafdcb047425ea82d9a928fb84694
Instruction Fuzzy Hash: 11E0487155051CBBCF125F75CC08E9D7F1AFF557E0F048820FC15A5220DB758922A695

Function 60885120 Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMONLIBRARYCODE

Download Yara Rule

APIs

NtClose.NTDLL ref: 60885131

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: 90ff1b2841543209a3e488b5ce3113970c50036445ec7c47e857843a38ee376e
Instruction ID: 5212f31e6174c28dccd1c15655de09cbefbd24c965634e68e61a21f4135a6bbf
Opcode Fuzzy Hash: 90ff1b2841543209a3e488b5ce3113970c50036445ec7c47e857843a38ee376e
Instruction Fuzzy Hash: 92C0802506532975C701AA589C057D77F4ECB73554F400842F40557611579C9E4043D7

Function 608A8BC0 Relevance: 1.4, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

3333, xrefs: 608A8C8D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: 3333
API String ID: 0-2924271548
Opcode ID: 16c4a92bcdff115fb3d673f6b3632f00534dfde618df8abf4d287101c5bcc284
Instruction ID: f32968c0bc3a40550b89774aa339ecb962664c9b1acb3b47501ce2e197b07a26
Opcode Fuzzy Hash: 16c4a92bcdff115fb3d673f6b3632f00534dfde618df8abf4d287101c5bcc284
Instruction Fuzzy Hash: 47511832B041A6CB9B45CE29C88055EFBB3EFAA220719C966D854DF745D275CC42CBB0

Function 60864C00 Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33255b387876b0ffff02756bacb5867b5c9a0f0e6895bb8b19990903004e9c3e
Instruction ID: 4ab8ad2203c630dac9683ec1ab8d48b33e98db7df180323c25fed6767faa16f2
Opcode Fuzzy Hash: 33255b387876b0ffff02756bacb5867b5c9a0f0e6895bb8b19990903004e9c3e
Instruction Fuzzy Hash: AA0280711187098FC356EE1CD49031AF7E2FFC8305F1A8A2CD68587B65E739A9198F86

Function 60862640 Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
Instruction ID: c5949e11dfedeb64841af71f3775169017e5293845d4d66f11c135843cfe73c8
Opcode Fuzzy Hash: c33fb274095a188932260f0ea2736bc6a8e3ca316cc910230737caadc8204e01
Instruction Fuzzy Hash: D8F18221C1DFDA87D6138B3A8542166F3A0BFFA288F15EF0AFDD435412EB60B6D49240

Function 608D51D0 Relevance: .4, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1935eeddb9289ade305837bc531e30e8579e18dcaa451417ce20e62bd971f3e
Instruction ID: 645fd20feaba9bc92d647f0008db9639275075f7df1985589e5347d3f26e0ebe
Opcode Fuzzy Hash: b1935eeddb9289ade305837bc531e30e8579e18dcaa451417ce20e62bd971f3e
Instruction Fuzzy Hash: 74D1E571E042284BDB09CF99C4912EDBBF3EBAA310F24872BD462773D5C6755945CB90

Function 608620B0 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01eef35076e03c2ca61ca294521eaf8e3a6a0edeb0c2c68d9f1c504fd829c17a
Instruction ID: 017c446bff4006efb32f967e70cf87b26c0adccce06509ebe34d62506c636267
Opcode Fuzzy Hash: 01eef35076e03c2ca61ca294521eaf8e3a6a0edeb0c2c68d9f1c504fd829c17a
Instruction Fuzzy Hash: 36E19121C1DFDA87D6128B3A8542166F3A0BFFB288F15DB1AFDD431422EB61B6D49240

Function 609310C0 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c0f3727dd7af6051af36bcbbd38abdc4fd191c0c31d23c30c148d53d93dcb1d
Instruction ID: d2aca20b52af8e18414d9c762a01f275254f00cd40d617f1f7fce262f8eba884
Opcode Fuzzy Hash: 7c0f3727dd7af6051af36bcbbd38abdc4fd191c0c31d23c30c148d53d93dcb1d
Instruction Fuzzy Hash: 94D1A765C29FD981E3239B3D980337BE3A0BFFB254F50EB1ABDD431811EB614245A246

Function 60862FD7 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25fdca7beecf1414b72e6d31f1b34f779b0e3c247a1026b9bffc012008825be
Instruction ID: 1613e28511e0eb38a9a0056d98a358b2f05c4efd445828947ed33ef6fe9402d8
Opcode Fuzzy Hash: d25fdca7beecf1414b72e6d31f1b34f779b0e3c247a1026b9bffc012008825be
Instruction Fuzzy Hash: D6A1AE21C29F8546F707BB794453350E331AFF3248F51CB06FDA178A66EF62BA885261

Function 60862C30 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dd4c44225567eee2d7751b73d10631589946bc71cb5d53a591a32a9ba35f940
Instruction ID: b1b618e49f04be855fb09e0ec064163468dda4153140905fee9679e03190c3b9
Opcode Fuzzy Hash: 2dd4c44225567eee2d7751b73d10631589946bc71cb5d53a591a32a9ba35f940
Instruction Fuzzy Hash: 6B918810D1CF9D83E6129F3D85411A6F3A1FFBE208B16EF4AEDD476812DB60BAD59240

Function 60879310 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b1a4fc74dee495a06c1df2e40ad4fde2d6bccae3d2d442c0dfaf3b37e938fca
Instruction ID: 7747ddf4c2dc0fe98d79e132e2606a96854c6aad5472af2bbed1ec9623a5c605
Opcode Fuzzy Hash: 3b1a4fc74dee495a06c1df2e40ad4fde2d6bccae3d2d442c0dfaf3b37e938fca
Instruction Fuzzy Hash: C161D671E04219CFDB39CE68C4D02AEB7F3EB95310F15C669D895AB399C3355846CB90

Function 608664C9 Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
Instruction ID: 589318cfde44df870099cb7b133c53f15291bb83e9274031cc2d8380b5527def
Opcode Fuzzy Hash: 20e27cd1294e25ddc6d7be20974898094e3d3db1bf7931f2d7eb99be54948a70
Instruction Fuzzy Hash: AA514DDAC29FAA45E323673E5883292EA10AEF7548511E347FCF434E11F701B5D47220

Function 60930930 Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9aae9cbcaafac4b9ccba817cc42916a6aac50bff3d49acc2325dc41fb21a025
Instruction ID: db0752866679468ea3d85d405d751f97d1140eb6ccef351ca756527dc4d4e7d3
Opcode Fuzzy Hash: a9aae9cbcaafac4b9ccba817cc42916a6aac50bff3d49acc2325dc41fb21a025
Instruction Fuzzy Hash: 68712850858FA992EB134F3D94836F5F7B1FFA9219F54A341DEC039426FB31A2CA8240

Function 608687FD Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
Instruction ID: fea8dbd7f855a690eab537fb9c7c7a4655c5894a7a59b37ee2e2b00fa2157390
Opcode Fuzzy Hash: 7843b180895422b3b0bcc0ba4a262943549954c7f4171b96b157888fc70d2e22
Instruction Fuzzy Hash: 69518CF390D3985BD3249FA5CC8129AF3E0BFE8250F4B872DED84E7601EB7556419681

Function 60930E60 Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f16510a8b77fc55dadb5f5361f22909b1c4a1ae21351e712238b11c1d2ceb2c
Instruction ID: 0b8136570c1cdd915207d740e1162c6c99d4b274a4b232d3d36b725173b2a1cd
Opcode Fuzzy Hash: 7f16510a8b77fc55dadb5f5361f22909b1c4a1ae21351e712238b11c1d2ceb2c
Instruction Fuzzy Hash: 99510B65D38FCA46E3136B3DA403226E714AFF7598E20E71BFDE438C52FB5192826109

Function 608D32F0 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f45447a1f49b308f2766f79545e87f440deb19c604be5614e3f5b56c293025f
Instruction ID: 7f039532aab8545b9584a0acdc8d0e8531fbb0fd28b739a11a7759e195232adb
Opcode Fuzzy Hash: 6f45447a1f49b308f2766f79545e87f440deb19c604be5614e3f5b56c293025f
Instruction Fuzzy Hash: C841C4716002099FDB24DF5DD850A1ABBF6FFA5314B404A2DE8468B391DB71EC58CBD1

Function 60866A5D Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
Instruction ID: 15b7725ed80baa92a6e32dc565262099ff826a4b0dd6b2477390f1638e1bad6e
Opcode Fuzzy Hash: 7a5f0ccd61e87605ef42d33d3aae0f02861f2c28ac56394109ac1bc1c5e57cda
Instruction Fuzzy Hash: C741DA79D1AF6A16EB13A73A6803363E6109FF3559A42DB1BFCB439EA9D70275003214

Function 608AA570 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a30dc8965f88a43c6e3e3deaf3b9d8ca6b7c7131f66e267f0cddb9e9f3c21172
Instruction ID: 805c5cc7d91a4a111d0533e6debe43e89bf02893c49f143d850b85925e9a4989
Opcode Fuzzy Hash: a30dc8965f88a43c6e3e3deaf3b9d8ca6b7c7131f66e267f0cddb9e9f3c21172
Instruction Fuzzy Hash: 1B414FB5C10F809BD762CF329852693BBA1BFB6204F159B2AF89A10621F73175E09B41

Function 60866855 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
Instruction ID: 5b4dc3634c27945eba246d77f63d336d335aba6abb24fcd64636edd7ac63b436
Opcode Fuzzy Hash: 88447afc45a1f6bcb49f5dd9d78a59160c77bbb213f53383de30a712b68f4499
Instruction Fuzzy Hash: AD41BBA9D1AF6A16EB13B73A680336396109FF355DA42DB1BFCB439DA9D302B5003254

Function 608646F0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 107553f9aa58eada27e1eca6fa370c498c776e00d3c6a788d6a047e06df94cd1
Instruction ID: a9f5e8140f3649aa5b796b73be5bc45661291e66c0a4782f37a142c293365c50
Opcode Fuzzy Hash: 107553f9aa58eada27e1eca6fa370c498c776e00d3c6a788d6a047e06df94cd1
Instruction Fuzzy Hash: E84180B1910B069FC365CF2ED281516FBF4FB9A2107519A2E9499C7B24E330F995CF90

Function 608DF2E0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 32fa16e4a739220eeb554aadb261fd964c67646e88aab754f440a801bfd39372
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 441138B72C408243D208C92DD8B06AEABD5EAF5224F6B4B6AD0614B7DAD223D842B500

Function 608662CD Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction ID: 3e4aa2ddb2d8e81c8354a7a9abd9c0855dd406e35942f766b766150b3b172115
Opcode Fuzzy Hash: 51f477ecbd8c86e18464dd12c1106ff108f6fe7e53e3396059e243e6e9527724
Instruction Fuzzy Hash: DD1151D9C2AF7A06E713633B5D42242DA105EF7989550D347FCB439D61F701B5C17210

Function 608663ED Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
Instruction ID: 7b954fd7434b16f392998e7452f15770c1e012c64c0d35b07d88df37a7d881fe
Opcode Fuzzy Hash: d35fea1031711773cf9ca4232a4cd6f839659ec201a35b62fd392b4a4f0e2cbd
Instruction Fuzzy Hash: CB014FDAC24FAA45E313A33D6843282E6109FF7548620E347FCF838E62F70176D46220

Function 609321E0 Relevance: 33.5, APIs: 1, Strings: 18, Instructions: 282COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6093221C

Strings

"0x%llx", xrefs: 60932234
NaN, xrefs: 609324B9
0x%llx, xrefs: 60932239, 60932247
"-Infinity", xrefs: 609324D1, 609324E8
Infinity, xrefs: 60932508
false, xrefs: 60932471
string index out of bounds, xrefs: 6093251E
__pos <= size(), xrefs: 60932523
"Infinity", xrefs: 60932503
NULL, xrefs: 60932213, 6093221B, 6093222C, 60932292
%lld, xrefs: 60932259
..\..\third_party\libc++\src\include\string, xrefs: 6093252D
"Unsupported (crbug.com/1225176)", xrefs: 6093229E
-Infinity, xrefs: 609324D2, 609324ED
"NaN", xrefs: 609324B4
%llu, xrefs: 6093226C
%s:%d: assertion %s failed: %s, xrefs: 60932532
true, xrefs: 60932476, 60932484

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: "-Infinity"$"0x%llx"$"Infinity"$"NaN"$"Unsupported (crbug.com/1225176)"$%lld$%llu$%s:%d: assertion %s failed: %s$-Infinity$..\..\third_party\libc++\src\include\string$0x%llx$Infinity$NULL$NaN$__pos <= size()$false$string index out of bounds$true
API String ID: 4218353326-2785851941
Opcode ID: 37280b72eecf8692c6281b7266adc1ce07ec5e0322d040d1d8b561ef9e563ecb
Instruction ID: 3c10e174b81efc75f36e4bb6c74ca15b897a97eb448ddb4913a0bace0e2f3882
Opcode Fuzzy Hash: 37280b72eecf8692c6281b7266adc1ce07ec5e0322d040d1d8b561ef9e563ecb
Instruction Fuzzy Hash: 10915971A48320ABD709CE388C40B6B7BDBAFB6784F144929F8D057291D735CD099BD2

Function 608CAB40 Relevance: 30.2, APIs: 1, Strings: 16, Instructions: 426COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608CAB5F

Part of subcall function 608D1490: _strlen.LIBCMT ref: 608D14EF

Strings

__s2 < __s1 || __s2 >= __s1+__n, xrefs: 608CAFE6
__len == 0 || __s != nullptr, xrefs: 608CB03B
..\..\third_party\libc++\src\include\string_view, xrefs: 608CB056
vector[] index out of bounds, xrefs: 608CB007, 608CB018
Histogram.MismatchedConstructionArguments, xrefs: 608CAF92
basic_string(const char*) detected nullptr, xrefs: 608CAFC3
__n < size(), xrefs: 608CB00C, 608CB01D
..\..\third_party\libc++\src\include\vector, xrefs: 608CB027
..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 608CAFF0
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608CB047
char_traits::copy overlapped range, xrefs: 608CAFE1
__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608CB04C
__s != nullptr, xrefs: 608CAFC8
..\..\third_party\libc++\src\include\string, xrefs: 608CAFD2
%s:%d: assertion %s failed: %s, xrefs: 608CAFD7, 608CAFF5, 608CB02C, 608CB05B
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608CB036

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$..\..\third_party\libc++\src\include\string_view$..\..\third_party\libc++\src\include\vector$Histogram.MismatchedConstructionArguments$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__n < size()$__s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*) detected nullptr$char_traits::copy overlapped range$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr$vector[] index out of bounds
API String ID: 4218353326-637586659
Opcode ID: eb803cb18015d182e7676e5e8c975048d0634179cfa5481ec1b58b583c2f0d4e
Instruction ID: 6b7d9fc5c7ef8a468ca18f4b633174c46bdf29bf2e38bfba414473755a0a38d8
Opcode Fuzzy Hash: eb803cb18015d182e7676e5e8c975048d0634179cfa5481ec1b58b583c2f0d4e
Instruction Fuzzy Hash: DBE1D471A006099FDB15CF69C885B6EBBB6EFB5318F144918E456B7390DB31EC01CB92

Function 608951E0 Relevance: 26.6, APIs: 5, Strings: 10, Instructions: 304timeCOMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 60895203
GetLocalTime.KERNEL32(?,?,?,?,?,?,?,608951D2,?,?,608840C7,608C2279,?,?), ref: 608952E5
_strlen.LIBCMT ref: 608953EF
GetTickCount.KERNEL32 ref: 608954BF
_strlen.LIBCMT ref: 60895518

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608954F9
)] , xrefs: 6089543F
__n <= size(), xrefs: 608954ED
:.}l, xrefs: 60895409
..\..\third_party\libc++\src\include\string_view, xrefs: 60895508
__s != nullptr, xrefs: 608954FE
VERBOSE, xrefs: 6089549A
remove_prefix() can't remove more than size(), xrefs: 608954E8
%s:%d: assertion %s failed: %s, xrefs: 6089550D
UNKNOWN, xrefs: 608953EE, 608953F8, 6089548E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen$CountLocalTickTime
String ID: %s:%d: assertion %s failed: %s$)] $..\..\third_party\libc++\src\include\string_view$:.}l$UNKNOWN$VERBOSE$__n <= size()$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$remove_prefix() can't remove more than size()
API String ID: 3535325690-1815997775
Opcode ID: aaf2a21d3258e5c2fa56d73cb51c17a30213a1c628201ca118087ab126e0063e
Instruction ID: 0cb3c5b6b549aa074e5bc0682d4386f7b389b548186d40c243d071a36dee8c2e
Opcode Fuzzy Hash: aaf2a21d3258e5c2fa56d73cb51c17a30213a1c628201ca118087ab126e0063e
Instruction Fuzzy Hash: ABA1D5B5D102049BCB14DB68DC55BAE7B7AEF7A308F04881CF84667391EB359D04CBA1

Function 60886BB0 Relevance: 24.8, APIs: 2, Strings: 12, Instructions: 349COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000000,00000000,?,00000000,string index out of bounds,?,?,?,?,?,?,?,?,?,SOFTWARE\Policies\,00000000), ref: 60886E4D
GetTempPathW.KERNEL32(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,?,SOFTWARE\Policies\,00000000,?), ref: 60886F58

Strings

__pos <= size(), xrefs: 608870B1
User Data, xrefs: 60887037
LOCALAPPDATA, xrefs: 60886E09
UserDataDir, xrefs: 60886C5A, 60886C87
..\..\third_party\libc++\src\include\string, xrefs: 6088707A
__s should never be greater than or equal to the short string capacity, xrefs: 6088706B
!empty(), xrefs: 608870C2
SOFTWARE\Policies\, xrefs: 60886C1C
__s < __min_cap, xrefs: 60887070
string index out of bounds, xrefs: 608870AC
string::back(): string is empty, xrefs: 608870BD
%s:%d: assertion %s failed: %s, xrefs: 6088707F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: PathTemp
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$LOCALAPPDATA$SOFTWARE\Policies\$User Data$UserDataDir$__pos <= size()$__s < __min_cap$__s should never be greater than or equal to the short string capacity$string index out of bounds$string::back(): string is empty
API String ID: 2920410445-1771266753
Opcode ID: f9ad4840a4659d3d63e0bfffa49cbb359e034cbc171d5c73f1c61bbb658ed8e9
Instruction ID: fe67d8555ab6b0fea3363ddc1c47a1cee6a29be6b6dc150f617ff3f2946c82dc
Opcode Fuzzy Hash: f9ad4840a4659d3d63e0bfffa49cbb359e034cbc171d5c73f1c61bbb658ed8e9
Instruction Fuzzy Hash: 47D101B0E542299ADB21CF14CC89BDABBB2EF71308F1048D9E848B6251DB759F94CF51

Function 6089EE60 Relevance: 23.0, APIs: 4, Strings: 9, Instructions: 287COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(608ADA45,?,608DB361,?,00000002,?), ref: 6089EE79
ReleaseSRWLockExclusive.KERNEL32(?,00000000,Function_00010600,6089F1E0,?,?,608DB361,?,00000002,?), ref: 6089EF90
TryAcquireSRWLockExclusive.KERNEL32(608ADA45,__location != nullptr,null pointer given to construct_at,?,608DB361,?,00000002,?), ref: 6089F07F
ReleaseSRWLockExclusive.KERNEL32(?,?,608DB361,?,00000002,?), ref: 6089F11D

Strings

null pointer given to destroy_at, xrefs: 6089F179
null pointer given to construct_at, xrefs: 6089F04B
__location != nullptr, xrefs: 6089F050
vector::erase(iterator) called with a non-dereferenceable iterator, xrefs: 6089F18C
__position != end(), xrefs: 6089F191
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 6089F057, 6089F185
__loc != nullptr, xrefs: 6089F17E
..\..\third_party\libc++\src\include\vector, xrefs: 6089F19B
%s:%d: assertion %s failed: %s, xrefs: 6089F05C, 6089F1A0

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$..\..\third_party\libc++\src\include\vector$__loc != nullptr$__location != nullptr$__position != end()$null pointer given to construct_at$null pointer given to destroy_at$vector::erase(iterator) called with a non-dereferenceable iterator
API String ID: 17069307-876617012
Opcode ID: 45814c54b89522efc56f14897b7bd65e5dabf225002fac1f56a1a472cc0ed00f
Instruction ID: eb85c95fb4697ed4d887293e9d16ebf8a5457a7509eb116c76b8fe85b950b207
Opcode Fuzzy Hash: 45814c54b89522efc56f14897b7bd65e5dabf225002fac1f56a1a472cc0ed00f
Instruction Fuzzy Hash: E0A1C1B1A40615DBDB15EF2CC841A5ABBB6FF75304B100969F815AB382EB31ED05CB92

Function 60888110 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 272COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001,?,?,?,?,?,?,?,00000000), ref: 6088827D

Part of subcall function 608940E0: ExpandEnvironmentStringsW.KERNEL32(?,?,00000400,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 608941A2

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 60888484
UBR, xrefs: 60888197
null pointer passed to non-null argument of char_traits<...>::length, xrefs: 60888490
__len == 0 || __s != nullptr, xrefs: 60888473
..\..\third_party\libc++\src\include\string_view, xrefs: 6088849F
__s != nullptr, xrefs: 60888495
SOFTWARE\Microsoft\Windows NT\CurrentVersion, xrefs: 6088817E
DisplayVersion, xrefs: 608881A7
%s:%d: assertion %s failed: %s, xrefs: 608884A4
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6088846E
ReleaseId, xrefs: 60888346
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6088847F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentEnvironmentExpandProcessStrings
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$DisplayVersion$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion$UBR$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 2339647510-1199739361
Opcode ID: e561d3c84a5de8f968d3aa0669bcd1d0189e6d98a9a71490dfc4b92db96cf1e4
Instruction ID: c287f9599f93885b56b39e0ae25f2a8b0b2d6ecac2dcf2aa6d2aac3d73e5166e
Opcode Fuzzy Hash: e561d3c84a5de8f968d3aa0669bcd1d0189e6d98a9a71490dfc4b92db96cf1e4
Instruction Fuzzy Hash: 0CA1A5B1904209DFDB14CF68C881A9ABBF2FF65704F144D2AE849EB341E7B0E945CB56

Function 608A6F20 Relevance: 23.0, APIs: 3, Strings: 10, Instructions: 216COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 608A6F94
GetSystemDirectoryW.KERNEL32(?,00000104), ref: 608A701B
GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 608A7086

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608A744E
null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608A7467
__len == 0 || __s != nullptr, xrefs: 608A743D
..\..\third_party\libc++\src\include\string_view, xrefs: 608A7458
__s != nullptr, xrefs: 608A746C
ProgramW6432, xrefs: 608A727D
MZx, xrefs: 608A6F8F
%s:%d: assertion %s failed: %s, xrefs: 608A745D
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608A7438
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608A7449

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Directory$FileModuleNameSystemWindows
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$MZx$ProgramW6432$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 592745672-244026853
Opcode ID: f8ce61764f26a1b9187d76d5362563d4bf6ab0cd95ba62a9e8cd1af02d8e94ee
Instruction ID: c8df77919148d1ed510de59c99f928d76ef37f8be7a6887e45bc2f525606ae4c
Opcode Fuzzy Hash: f8ce61764f26a1b9187d76d5362563d4bf6ab0cd95ba62a9e8cd1af02d8e94ee
Instruction Fuzzy Hash: 388129B1A052299ADF11DF29CC45BDE7B75EF76308F000894F94973284DB70AB85DE91

Function 6089AD30 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 170COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,00000000,00000000), ref: 6089AD9F
CreateDirectoryW.KERNEL32(?,00000000), ref: 6089AE5A
SetLastError.KERNEL32(00000050,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 6089AE83
GetLastError.KERNEL32 ref: 6089AE90
SetLastError.KERNEL32(00000002), ref: 6089AEC3

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6089AF0E
__len == 0 || __s != nullptr, xrefs: 6089AEFD
..\..\base\files\file_util_win.cc, xrefs: 6089AD70
..\..\third_party\libc++\src\include\string_view, xrefs: 6089AF18
CreateDirectoryAndGetError, xrefs: 6089AD75
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6089AEF8
%s:%d: assertion %s failed: %s, xrefs: 6089AF1D
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6089AF09

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast$AttributesCreateDirectoryFile
String ID: %s:%d: assertion %s failed: %s$..\..\base\files\file_util_win.cc$..\..\third_party\libc++\src\include\string_view$CreateDirectoryAndGetError$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 635176117-2164725442
Opcode ID: 740708b5d61860902ca1f72634d24a92ab55476bd8ee027542953e568b188684
Instruction ID: 5d37c4bf041096ea70c2044ea07dcf5ad25e2859be81accec67bb5b4283c24c5
Opcode Fuzzy Hash: 740708b5d61860902ca1f72634d24a92ab55476bd8ee027542953e568b188684
Instruction Fuzzy Hash: A851F174E08315ABDB01EF2DC88176E7BA6EFB6718F108D29F85596280EB70D940C7D2

Function 60880680 Relevance: 21.4, APIs: 1, Strings: 11, Instructions: 421COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60880D5D

Strings

Sunday, xrefs: 608806ED
..\..\third_party\libc++\src\include\string, xrefs: 60880C39, 60880C66, 60880C93, 60880CC0, 60880CED, 60880D1A, 60880D44
__s should never be greater than or equal to the short string capacity, xrefs: 60880C2A, 60880C57, 60880C84, 60880CB1, 60880CDE, 60880D0B, 60880D35
Tuesday, xrefs: 60880751
Friday, xrefs: 608807E7
Thursday, xrefs: 608807B5
__s < __min_cap, xrefs: 60880C2F, 60880C5C, 60880C89, 60880CB6, 60880CE3, 60880D10, 60880D3A
Monday, xrefs: 6088071F
Wednesday, xrefs: 60880783
Saturday, xrefs: 60880819
%s:%d: assertion %s failed: %s, xrefs: 60880C3E, 60880C6B, 60880C98, 60880CC5, 60880CF2, 60880D1F, 60880D49

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$Friday$Monday$Saturday$Sunday$Thursday$Tuesday$Wednesday$__s < __min_cap$__s should never be greater than or equal to the short string capacity
API String ID: 3738618077-4282256010
Opcode ID: 37e251105ac2ac7587cfa51eb122a1a08db4b6ec29f8daaa2dab572edab07a9a
Instruction ID: ad481d362069d67aee6926c17abe64e26b1ffab4e23958e31079d2c7aadf13b5
Opcode Fuzzy Hash: 37e251105ac2ac7587cfa51eb122a1a08db4b6ec29f8daaa2dab572edab07a9a
Instruction Fuzzy Hash: 1EF1E0B091A254DEEB50DB28CC08B153FE3EB63728F448D55E0466F3A2D3B6994CDB52

Function 608989E0 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 207fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,?), ref: 60898B05

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 60898C90
__len == 0 || __s != nullptr, xrefs: 60898CA6
vector::erase(iterator) called with a non-dereferenceable iterator, xrefs: 60898C6D
__position != end(), xrefs: 60898C72
..\..\third_party\libc++\src\include\string_view, xrefs: 60898C9A
..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc, xrefs: 60898BC3
DeleteFile , xrefs: 60898BD5
..\..\third_party\libc++\src\include\vector, xrefs: 60898C7C
%s:%d: assertion %s failed: %s, xrefs: 60898C81
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 60898CA1
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 60898C8B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: DeleteFile
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc$..\..\third_party\libc++\src\include\string_view$..\..\third_party\libc++\src\include\vector$DeleteFile $__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__position != end()$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr$vector::erase(iterator) called with a non-dereferenceable iterator
API String ID: 4033686569-3858181383
Opcode ID: eaa14a7e0a9ac6ac2eababb3909342f8890d6b61aac547cc232dd24f749578a2
Instruction ID: 65a4ab3a6880810e71c0506c34caaf3aa9be5305b2155256f75b32b1c6762ebe
Opcode Fuzzy Hash: eaa14a7e0a9ac6ac2eababb3909342f8890d6b61aac547cc232dd24f749578a2
Instruction Fuzzy Hash: BA81377190422ADBDB11DF28CC41B99B776EF74318F044A96E80D77241EB70EA88CB91

Function 608AA250 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 99libraryloaderCOMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(609871C8,608AA0E0,?,00000000,00000000,608AA570,?,?,00000130), ref: 608AA279
GetLastError.KERNEL32(?,?,00000130), ref: 608AA297
TlsGetValue.KERNEL32(?,?,00000130), ref: 608AA2A5
SetLastError.KERNEL32(00000000,?,?,00000130), ref: 608AA2AE
TlsSetValue.KERNEL32(00000000,?,?,?,?,?,?,00000130), ref: 608AA2D1
AcquireSRWLockExclusive.KERNEL32(609871D4,?,?,00000130), ref: 608AA2E4
ReleaseSRWLockExclusive.KERNEL32(609871D4,?,?,00000130), ref: 608AA2F5
LoadLibraryW.KERNEL32(bcryptprimitives,?,?,?,00000130), ref: 608AA348
GetProcAddress.KERNEL32(00000000,ProcessPrng), ref: 608AA358

Strings

bcryptprimitives, xrefs: 608AA343
ProcessPrng, xrefs: 608AA352

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorExclusiveLastLockOnceValue$AcquireAddressExecuteInitLibraryLoadProcRelease
String ID: ProcessPrng$bcryptprimitives
API String ID: 1967882921-1205050517
Opcode ID: 2ac99a8bcdf41b1f95bd35733fef733774aae9c8bb3d4ec854815c6ce099b315
Instruction ID: 426cd4274b0e7f93c1eed855f3d05f2f2da25a247a1f42b2e1dbb4b948253677
Opcode Fuzzy Hash: 2ac99a8bcdf41b1f95bd35733fef733774aae9c8bb3d4ec854815c6ce099b315
Instruction Fuzzy Hash: E831B171618208ABDF029FA6DC4DA6E7F6AFF57715F000824FC15A6B61DB31DC10DAA1

Function 6088A710 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 245COMMON

Download Yara Rule

APIs

Part of subcall function 6088AFB0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 6088AA0F

_strlen.LIBCMT ref: 6088A778

Strings

ptype, xrefs: 6088A741
cana, xrefs: 6088A88D
__s != nullptr, xrefs: 6088A9BE
..\..\third_party\libc++\src\include\string, xrefs: 6088A9AA
__s should never be greater than or equal to the short string capacity, xrefs: 6088A99B
channel, xrefs: 6088A809
__s < __min_cap, xrefs: 6088A9A0
%s:%d: assertion %s failed: %s, xrefs: 6088A9AF
string::assign received nullptr, xrefs: 6088A9B9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileModuleName_strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$__s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$cana$channel$ptype$string::assign received nullptr
API String ID: 2404361900-1346792814
Opcode ID: 4b10aab36b2f1cc55763805919d876a57cbd1d65ae535fa25a6f117a698bdccc
Instruction ID: abdb7caeebb1e8b8e107e5cf2b6ea188c7295eb788b785cf2af434a04912b7e5
Opcode Fuzzy Hash: 4b10aab36b2f1cc55763805919d876a57cbd1d65ae535fa25a6f117a698bdccc
Instruction Fuzzy Hash: FB81F7B1D04218AFEB11CBA4CC85BAEBFB6EF69304F144929F456A72C1E734A905C761

Function 608925B0 Relevance: 17.7, APIs: 4, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

Part of subcall function 608BE830: _strlen.LIBCMT ref: 608BE8C4

ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFF,-00000001,?,60924358,00000000), ref: 60892605
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFF,-00000001,?,60924358,00000000), ref: 6089260F
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFF,-00000001,?,60924358,00000000), ref: 608926F7
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,7FFFFFFF,-00000001,?,60924358,00000000), ref: 60892701

Part of subcall function 608C38D0: AcquireSRWLockExclusive.KERNEL32(?,?,6088D907,?,?,?,?,?,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type), ref: 608C38D4

Strings

SetDisabledWhileLocked, xrefs: 608926B2
..\..\base\trace_event\trace_log.cc, xrefs: 608926AD
..\..\third_party\libc++\src\include\__tree, xrefs: 60892762
node shouldn't be null, xrefs: 60892753
__x != nullptr, xrefs: 60892758
%s:%d: assertion %s failed: %s, xrefs: 60892767

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release$_strlen
String ID: %s:%d: assertion %s failed: %s$..\..\base\trace_event\trace_log.cc$..\..\third_party\libc++\src\include\__tree$SetDisabledWhileLocked$__x != nullptr$node shouldn't be null
API String ID: 3319240422-1649722100
Opcode ID: 04b36d812d37dd9cfe274d2ba53bbe3a65d0f5dfaf4cb9499342c5cde7b4a33a
Instruction ID: c43d360bcea8c7a74a1ebfc662de41b67ba5a4b57100a25a38e556bf9b68311d
Opcode Fuzzy Hash: 04b36d812d37dd9cfe274d2ba53bbe3a65d0f5dfaf4cb9499342c5cde7b4a33a
Instruction Fuzzy Hash: 70519371A04115ABCB05EF6DD880AAEBBB2FF79314F540859E806BB741D734EC41CBA5

Function 6089AF30 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 117COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6089AF9B
GetLongPathNameW.KERNEL32(?,00000000,00000000), ref: 6089AFCD

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6089B062
__len == 0 || __s != nullptr, xrefs: 6089B051
..\..\base\files\file_util_win.cc, xrefs: 6089AF6D
..\..\third_party\libc++\src\include\string_view, xrefs: 6089B06C
MakeLongFilePath, xrefs: 6089AF72
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6089B04C
%s:%d: assertion %s failed: %s, xrefs: 6089B071
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6089B05D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: LongNamePath
String ID: %s:%d: assertion %s failed: %s$..\..\base\files\file_util_win.cc$..\..\third_party\libc++\src\include\string_view$MakeLongFilePath$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 82841172-1206751495
Opcode ID: 290fc2d751bf8021d091e8c203cf8e20a5e528e80dabf3ad6e8574acb9e21749
Instruction ID: faee1e90ea10f838d63a69c3fd30c128f50fda8f2724c60d3055f78638203287
Opcode Fuzzy Hash: 290fc2d751bf8021d091e8c203cf8e20a5e528e80dabf3ad6e8574acb9e21749
Instruction Fuzzy Hash: 8A31E0B1A04750ABD721EB298C45A1B7BAAEFA5754F004D2DF8D5E3240EB70E940C692

Function 6089C2B0 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 110COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 6089C2F7
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 6089C303
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 6089C30A
VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 6089C32E
__Init_thread_header.LIBCMT ref: 6089C35E

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

Part of subcall function 6089C680: LoadLibraryW.KERNEL32(?,?,6089C380,kernel32.dll,::InitializeCriticalSectionEx,00000001,00000003), ref: 6089C686
Part of subcall function 6089C680: GetProcAddress.KERNEL32(00000000,?), ref: 6089C6B0

Part of subcall function 608DCFDD: EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
Part of subcall function 608DCFDD: LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
Part of subcall function 608DCFDD: WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D

InitializeCriticalSection.KERNEL32(6088BDDD,?,?,00000020,00000003,?,00000001,00000003), ref: 6089C3CD

Strings

InitializeCriticalSectionEx, xrefs: 6089C40D
..\..\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc, xrefs: 6089C3FB
::InitializeCriticalSectionEx, xrefs: 6089C371
kernel32.dll, xrefs: 6089C376

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalSection$Condition$Mask$EnterLeave$AddressInfoInit_thread_headerInitializeLibraryLoadProcVariableVerifyVersionWake
String ID: ..\..\third_party\crashpad\crashpad\util\win\critical_section_with_debug_info.cc$::InitializeCriticalSectionEx$InitializeCriticalSectionEx$kernel32.dll
API String ID: 3140011131-2244720229
Opcode ID: 8798f057cfbe8c3e034efaa890110fbc7f1eca57c8be2d384b866e8d22b45f1b
Instruction ID: 173218a75c950d78529b98e50d3b0d53c2e3eb92e7e52a3880bb4e5c6d9c6fe7
Opcode Fuzzy Hash: 8798f057cfbe8c3e034efaa890110fbc7f1eca57c8be2d384b866e8d22b45f1b
Instruction Fuzzy Hash: 2B317D71514204ABEB10EB28DC46FED7F36EFA6308F004D24FA046A3C2DB75D954D651

Function 608AC040 Relevance: 16.1, APIs: 1, Strings: 8, Instructions: 379COMMON

Download Yara Rule

Strings

null pointer given to destroy_at, xrefs: 608AC197
null pointer given to construct_at, xrefs: 608AC1A5, 608AC2EC
__location != nullptr, xrefs: 608AC1AA, 608AC2F1
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608AC1B1, 608AC2F8
__loc != nullptr, xrefs: 608AC19C
Clear, xrefs: 608AC416
..\..\base\task\thread_pool\sequence.cc, xrefs: 608AC411
%s:%d: assertion %s failed: %s, xrefs: 608AC1B6, 608AC2FD

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID: %s:%d: assertion %s failed: %s$..\..\base\task\thread_pool\sequence.cc$..\..\third_party\libc++\src\include\__memory\construct_at.h$Clear$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at
API String ID: 0-1975324229
Opcode ID: d3d2f4bf87905cbb84197b757ae4dd6cb73d4c5c4379efc83a2a42787dc4bbea
Instruction ID: 1df8e29a6e251361a1b54cc05257fd2d13258c0c1d7e390c2ccdda6547d72ffe
Opcode Fuzzy Hash: d3d2f4bf87905cbb84197b757ae4dd6cb73d4c5c4379efc83a2a42787dc4bbea
Instruction Fuzzy Hash: 2FD1B0B1A046169FC700CF69C880A5ABBF6FFA9714F108E2DE855D7742EB31E900CB81

Function 60873250 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 305fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60873285

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

CreateFileW.KERNEL32 ref: 608733D8
GetLastError.KERNEL32 ref: 608733E8
CloseHandle.KERNEL32(00000000), ref: 60873419
ReadFile.KERNEL32(00000000,?,00000008,00000020,00000000), ref: 6087343E
ReadFile.KERNEL32(00000000,00000000,00000009,00000020,00000000), ref: 60873605

Part of subcall function 608DCFDD: EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
Part of subcall function 608DCFDD: LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
Part of subcall function 608DCFDD: WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D

CloseHandle.KERNEL32(00000000), ref: 6087347D

Strings

BlFilePath, xrefs: 60873348
\ThirdParty, xrefs: 60873300, 60873305, 60873311

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalSection$File$CloseEnterHandleLeaveRead$ConditionCreateErrorInit_thread_headerLastVariableWake
String ID: BlFilePath$\ThirdParty
API String ID: 544613717-1665164918
Opcode ID: f7925bc523a615899039447c90b60276699c8de518094ba1c0868949607798c4
Instruction ID: 3656fba8b7c3a1935f7b195cf38948ff78d441b016869da38017b882fcf4d2d9
Opcode Fuzzy Hash: f7925bc523a615899039447c90b60276699c8de518094ba1c0868949607798c4
Instruction Fuzzy Hash: 9DB10260B5C1A19EDB36C73488503ADBFB2DFB3208F2C89A8D4945B347DB218C42C796

Function 608C8B30 Relevance: 16.0, APIs: 2, Strings: 7, Instructions: 259COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608C8BD9
_strlen.LIBCMT ref: 608C8CF3

Strings

__s2 < __s1 || __s2 >= __s1+__n, xrefs: 608C8DB2
char_traits::copy overlapped range, xrefs: 608C8DAD
__s != nullptr, xrefs: 608C8DC8
..\..\third_party\libc++\src\include\string, xrefs: 608C8DD2
basic_string(const char*) detected nullptr, xrefs: 608C8DC3
..\..\third_party\libc++\src\include\__string\char_traits.h, xrefs: 608C8DBC
%s:%d: assertion %s failed: %s, xrefs: 608C8DD7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__string\char_traits.h$..\..\third_party\libc++\src\include\string$__s != nullptr$__s2 < __s1 || __s2 >= __s1+__n$basic_string(const char*) detected nullptr$char_traits::copy overlapped range
API String ID: 4218353326-864542565
Opcode ID: db1186b4f6fb66b0e8c9964faeda62df38374c1a72b3490cc10a2e7b4c4a7f9c
Instruction ID: 3a528c174609a69cddce689efb0347bf729e0f0db8878c803bb1ce9a89314083
Opcode Fuzzy Hash: db1186b4f6fb66b0e8c9964faeda62df38374c1a72b3490cc10a2e7b4c4a7f9c
Instruction Fuzzy Hash: 5881F8B0A40214DFCB04CF68C491BAEBBF5EF69314F148969E905AB381D771DD05CBA2

Function 608C8EA0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 163COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608C8EB7

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 608C8FDE
null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608C8FB7
__len == 0 || __s != nullptr, xrefs: 608C8FCD
..\..\third_party\libc++\src\include\string_view, xrefs: 608C8FE8
__s != nullptr, xrefs: 608C8FBC
%s:%d: assertion %s failed: %s, xrefs: 608C8FED
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608C8FC8
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 608C8FD9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 4218353326-531327726
Opcode ID: 50ee7f18f23314529c847b85683d9dd121b0dba59ba795435fc65442a38f8090
Instruction ID: f5fbc14e8b24976ff2e94ec9d1c94483801871cd9c6fa9ed29b377c391bd7034
Opcode Fuzzy Hash: 50ee7f18f23314529c847b85683d9dd121b0dba59ba795435fc65442a38f8090
Instruction Fuzzy Hash: 5941D4717A4319EB9B00CF29DCC0B6A77BBEBA5718705493DF941A7241DBB0EC04C6A2

Function 608740F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

AcquireSRWLockExclusive.KERNEL32(00000030,?,00000000,?,60874838,?,?,?,?,?,?,?,?,?,?), ref: 60874118
SleepConditionVariableSRW.KERNEL32(00000034,00000030,00000000,00000000,?,60874838,?,?,?,?,?,?,?,?,?,?), ref: 60874137
ReleaseSRWLockExclusive.KERNEL32(00000030,?,60874838,?,?,?,?,?,?,?,?,?,?,?,6090C016), ref: 60874152
GetLastError.KERNEL32(?,60874838,?,?,?,?,?,?,?,?,?,?,?,6090C016), ref: 60874176
AcquireSRWLockExclusive.KERNEL32(?,00000030,?,?,?,?,?,?,?,?,?,60874838,?), ref: 608741A7
WakeConditionVariable.KERNEL32(?,?,00000030,?,?,?,?,?,?,?,?,?,60874838,?), ref: 608741BA
ReleaseSRWLockExclusive.KERNEL32(?,?,00000030,?,?,?,?,?,?,?,?,?,60874838,?), ref: 608741C1

Strings

SleepConditionVariableSRW failed: %lu, xrefs: 60874188
win32_waiter.cc, xrefs: 6087418F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireConditionReleaseVariable$ErrorLastSleepWake
String ID: SleepConditionVariableSRW failed: %lu$win32_waiter.cc
API String ID: 4254592985-2919041413
Opcode ID: 85843befa4cf2943cbc58654ec8c5da02d06b3865bbcf7a26fcf8ad7e962bc5c
Instruction ID: f1f5167e0d49668a71be818125345e7cc3c452fa245edd22891284eeddb98b09
Opcode Fuzzy Hash: 85843befa4cf2943cbc58654ec8c5da02d06b3865bbcf7a26fcf8ad7e962bc5c
Instruction Fuzzy Hash: A5219771614604AFD725EB6ACC44A5FBFB9EFA5350F40C81DF45A92291D730E840DB61

Function 608A4650 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 289COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(60987130), ref: 608A4693
ReleaseSRWLockExclusive.KERNEL32(60987130), ref: 608A46D9
__Init_thread_header.LIBCMT ref: 608A477E

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

__Init_thread_header.LIBCMT ref: 608A47B4
__Init_thread_header.LIBCMT ref: 608A47EA
ReleaseSRWLockExclusive.KERNEL32(60987130), ref: 608A4941

Strings

MonitorNextJankWindowIfNecessary, xrefs: 608A49EB
..\..\base\threading\scoped_blocking_call_internal.cc, xrefs: 608A49E6

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveInit_thread_headerLock$CriticalReleaseSection$AcquireEnterLeave
String ID: ..\..\base\threading\scoped_blocking_call_internal.cc$MonitorNextJankWindowIfNecessary
API String ID: 722464544-733433259
Opcode ID: 94ef4bd708de369674646477cc232bd64376a5399653b892a6ca505f7b4c9124
Instruction ID: acfcad83567c07c5517c0bb9dc716ce6fb26e432647031b309417faad013c916
Opcode Fuzzy Hash: 94ef4bd708de369674646477cc232bd64376a5399653b892a6ca505f7b4c9124
Instruction Fuzzy Hash: ADB10C716082008FDB04CF28C84575ABBE2EBE6724F154E3DE8AA577D1EF34E8418B91

Function 608B27C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(6095BC70), ref: 608B2807
ReleaseSRWLockExclusive.KERNEL32(6095BC70), ref: 608B2862
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B294B
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 608B29A2
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B2A02

Strings

first, xrefs: 608B2AC8

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: first
API String ID: 1678258262-2456940119
Opcode ID: 09b8c4e332a7f0d62d918a9aa03e4886e73dff8dfabf30a1a656f38fcd7ef0f4
Instruction ID: 98cf9b228e0ceb3b30ad9f377435855a2d2f3849265fe5a52e28eafb8e863c11
Opcode Fuzzy Hash: 09b8c4e332a7f0d62d918a9aa03e4886e73dff8dfabf30a1a656f38fcd7ef0f4
Instruction Fuzzy Hash: EB91C1316047118FCB15CF29C894B6ABFE2EF99300F14887DE8999B3A5D738AC41CB91

Function 60888C80 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 232COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32(00000018), ref: 60888D36

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 60888F1C
__len == 0 || __s != nullptr, xrefs: 60888F0B
..\..\third_party\libc++\src\include\string_view, xrefs: 60888F26
browser, xrefs: 60888CF9, 60888D00, 60888D1D
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 60888F06
%s:%d: assertion %s failed: %s, xrefs: 60888F2B
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 60888F17

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentProcess
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$browser$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 2050909247-1697038791
Opcode ID: 39933d2c3d8c8aab8821c28204049a79fa82eb137e88f39df3980ccb1b6144b8
Instruction ID: a314e95dc2e0162a3e78b2d10b3b0d62cca74f2032516d3b93d7caeac57ad78b
Opcode Fuzzy Hash: 39933d2c3d8c8aab8821c28204049a79fa82eb137e88f39df3980ccb1b6144b8
Instruction Fuzzy Hash: DA71D3B1A04214ABDB11DB69DC41AAE7FB6EFB6308F140C29F945B7281DB70DD04CB92

Function 6092EC10 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 144fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNEL32(?), ref: 6092EC6E
GetLastError.KERNEL32 ref: 6092EC74

Part of subcall function 60929A10: FindClose.KERNEL32(6092EB55,?,?,?,?,6092EB55,?), ref: 60929A27

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6092ED17
..\..\third_party\libc++\src\include\string_view, xrefs: 6092ED26
..\..\third_party\crashpad\crashpad\util\file\directory_reader_win.cc, xrefs: 6092ECA2
__s != nullptr, xrefs: 6092ED1C
FindNextFile, xrefs: 6092ECB4
%s:%d: assertion %s failed: %s, xrefs: 6092ED2B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Find$CloseErrorFileLastNext
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\crashpad\crashpad\util\file\directory_reader_win.cc$..\..\third_party\libc++\src\include\string_view$FindNextFile$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 256431386-3959732721
Opcode ID: 6dd23b7372cb8ff19d54a439916b505a9f87c870230ae5d8f85e7fcc9b9732ea
Instruction ID: d58d2d9fb5701bf65cee3bddc85ef40e981079f09dcb7fd0060afef1dce5a8fe
Opcode Fuzzy Hash: 6dd23b7372cb8ff19d54a439916b505a9f87c870230ae5d8f85e7fcc9b9732ea
Instruction Fuzzy Hash: 753135B1A103182BDA10C779AC86F6F7B2F9FB132CF000925F95966285EB71DD05C6E2

Function 6089A050 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 131COMMON

Download Yara Rule

APIs

SetEnvironmentVariableW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6088BAE7,CHROME_CRASHPAD_PIPE_NAME,00000019,?,?), ref: 6089A0BE
SetEnvironmentVariableW.KERNEL32(?,00000000,?,?,?,..\..\third_party\libc++\src\include\string_view,0000013A,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type,?,?,?,6088BAE7,CHROME_CRASHPAD_PIPE_NAME,00000019,?), ref: 6089A173

Strings

__len <= static_cast<size_type>(numeric_limits<difference_type>::max()), xrefs: 6089A119
__len == 0 || __s != nullptr, xrefs: 6089A108
..\..\third_party\libc++\src\include\string_view, xrefs: 6089A123
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 6089A103
%s:%d: assertion %s failed: %s, xrefs: 6089A128
string_view::string_view(_CharT *, size_t): length does not fit in difference_type, xrefs: 6089A114

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: EnvironmentVariable
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len <= static_cast<size_type>(numeric_limits<difference_type>::max())$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): length does not fit in difference_type$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 1431749950-2671331263
Opcode ID: ceab95cd69ef53cd2f49f0481fa526cdd876f8c92a1ff61c0ef50879ad6ae706
Instruction ID: 53528dbc9f0c43399a5ee7d9cc9cee0f241450d3879f989d1b0edec80c920448
Opcode Fuzzy Hash: ceab95cd69ef53cd2f49f0481fa526cdd876f8c92a1ff61c0ef50879ad6ae706
Instruction Fuzzy Hash: 9031E2B2D04229AFDB11EB58CC05AAE7F75EF66218F048819F90637282D735A945C7D1

Function 608A2C80 Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 113COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608A2CA7

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608A2D70
..\..\third_party\libc++\src\include\string_view, xrefs: 608A2D7F
vector[] index out of bounds, xrefs: 608A2D86
__s != nullptr, xrefs: 608A2D75
__n < size(), xrefs: 608A2D8B
..\..\third_party\libc++\src\include\vector, xrefs: 608A2D95
%s:%d: assertion %s failed: %s, xrefs: 608A2D9A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$..\..\third_party\libc++\src\include\vector$__n < size()$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$vector[] index out of bounds
API String ID: 4218353326-4232353081
Opcode ID: 956ea56369a3bdbe2e64dae4dc40e276a52879e988c51ba92bcfba058b4603bb
Instruction ID: f38c3d7544c18fea0a5e8001562ad42ed8311e3ec021787a553ae08844312373
Opcode Fuzzy Hash: 956ea56369a3bdbe2e64dae4dc40e276a52879e988c51ba92bcfba058b4603bb
Instruction Fuzzy Hash: E93192B0B003099FCB14DF69C892D5FBBB6EBE8218B548819F94A9B351DB31EC45C791

Function 608F8588 Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 608F86A7
CatchIt.LIBVCRUNTIME ref: 608F8806
_UnwindNestedFrames.LIBCMT ref: 608F8907
CallUnexpected.LIBVCRUNTIME ref: 608F8922

Strings

csm, xrefs: 608F85C5
csm, xrefs: 608F86DE
csm, xrefs: 608F8632

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CallCatchFramesNestedUnexpectedUnwindtype_info::operator==
String ID: csm$csm$csm
API String ID: 2332921423-393685449
Opcode ID: 4d6cb116bb4584dabceeb07a35444d677ffe2f6bae9cbb9c370ace0a8b4682ca
Instruction ID: 4243b65b4aef4a921195ec6187f80eaa003fda124d8ff1f2b5cc627e162f6432
Opcode Fuzzy Hash: 4d6cb116bb4584dabceeb07a35444d677ffe2f6bae9cbb9c370ace0a8b4682ca
Instruction Fuzzy Hash: DDB17B3180020DEFCF05DFBAC88199EBBB5FF24394B104969E810AB251D7B5DA52CFA1

Function 608C73F0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 130COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(0000001C), ref: 608C740E
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608C74E1
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608C7505

Strings

..\..\third_party\libc++\src\include\__tree, xrefs: 608C753D
node shouldn't be null, xrefs: 608C752E
__x != nullptr, xrefs: 608C7533
%s:%d: assertion %s failed: %s, xrefs: 608C7542

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Release$Acquire
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__tree$__x != nullptr$node shouldn't be null
API String ID: 1021914862-3022172278
Opcode ID: 58df0f9104c5865fc7c19e6bd8d62110534cb04573d96b1def5fcecb35e4a2c4
Instruction ID: ab71fd403e796068541cac2ffac2de74c187948d9e25345c250a393a26d5f991
Opcode Fuzzy Hash: 58df0f9104c5865fc7c19e6bd8d62110534cb04573d96b1def5fcecb35e4a2c4
Instruction Fuzzy Hash: 4A41B030A046159BDB19CF29C844B2EBF72FFA5714B248D6DE4166B650DB31EC01CB96

Function 608B8780 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 70COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608B8794

Strings

__s != nullptr, xrefs: 608B882F
..\..\third_party\libc++\src\include\string, xrefs: 608B881B
__s should never be greater than or equal to the short string capacity, xrefs: 608B880C
__s < __min_cap, xrefs: 608B8811
%s:%d: assertion %s failed: %s, xrefs: 608B8820
string::assign received nullptr, xrefs: 608B882A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$__s != nullptr$__s < __min_cap$__s should never be greater than or equal to the short string capacity$string::assign received nullptr
API String ID: 4218353326-1196324273
Opcode ID: aff1313f97c7b370646288dcecb9b470ec1919fd7fc7219911877823ec5ae805
Instruction ID: e1bd16661f5f33a15b582279e7f5441d37a272e203d72ecd4001c3df09510b64
Opcode Fuzzy Hash: aff1313f97c7b370646288dcecb9b470ec1919fd7fc7219911877823ec5ae805
Instruction Fuzzy Hash: 2611E9B160025ABAE610C9199C80F277B9BDBF2A5CF20C829F55467240CFB1E801C759

Function 608A80E0 Relevance: 12.2, APIs: 2, Strings: 6, Instructions: 157COMMON

Download Yara Rule

APIs

LocalFree.KERNEL32(?), ref: 608A8205
SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,00000000,?,608A7E78,608A2814,?,608A2814,?), ref: 608A8264

Strings

null pointer given to destroy_at, xrefs: 608A8277
null pointer given to construct_at, xrefs: 608A8285
__location != nullptr, xrefs: 608A828A
..\..\third_party\libc++\src\include\__memory\construct_at.h, xrefs: 608A8291
__loc != nullptr, xrefs: 608A827C
%s:%d: assertion %s failed: %s, xrefs: 608A8296

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFreeLastLocal
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\__memory\construct_at.h$__loc != nullptr$__location != nullptr$null pointer given to construct_at$null pointer given to destroy_at
API String ID: 3928016487-1414239786
Opcode ID: 8da7e44ce5022f4d096363150b61c78f7b73d06d20de22197308e86478252c6a
Instruction ID: 38caff9ed8794d9e0cf5fdf5757d5ac936ca37c9799f8360d6f6f546c4e89b03
Opcode Fuzzy Hash: 8da7e44ce5022f4d096363150b61c78f7b73d06d20de22197308e86478252c6a
Instruction Fuzzy Hash: 3B51C1B1E04649DFDB01CFA9CC84BAEBBB6EFA9304F104929E815A7350E7759840CB61

Function 608FC051 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 608FC0D7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 5e558e28cd5b0b8d24ebe8efc3243449e27dd7fc0835bb39817d3425118a5633
Instruction ID: bf21a64ae27354a89a6e89cb04ae169612c2b41bdb5bc5408ca517ce0b088bf4
Opcode Fuzzy Hash: 5e558e28cd5b0b8d24ebe8efc3243449e27dd7fc0835bb39817d3425118a5633
Instruction Fuzzy Hash: 50B1477290425D9FDB02CE78CD81BAE7FA5EF66790F148D55E904AB383D3709A42C7A0

Function 608AF0C0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 323COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,?), ref: 608AF25E
K32GetMappedFileNameW.KERNEL32(00000000,?,?,00000105,?,?,?), ref: 608AF271

Strings

..\..\third_party\libc++\src\include\string, xrefs: 608AF521
!empty(), xrefs: 608AF517
string::back(): string is empty, xrefs: 608AF512
%s:%d: assertion %s failed: %s, xrefs: 608AF526

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentFileMappedNameProcess
String ID: !empty()$%s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$string::back(): string is empty
API String ID: 4030669083-390832124
Opcode ID: 32a6060961ae63806426fa2ad3811fd8fb3ee2e4f036fed3722faf8760a1f6c8
Instruction ID: 980ec366ff34d4c0e4dba399d9d8520aee29d15560719382de48913cb233c850
Opcode Fuzzy Hash: 32a6060961ae63806426fa2ad3811fd8fb3ee2e4f036fed3722faf8760a1f6c8
Instruction Fuzzy Hash: 5EC105709852298EDF21CF68CC547DABBB1EF76304F1489D9D849A7642E7309E86CF90

Function 60934010 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 219COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 609340F8
_strlen.LIBCMT ref: 60934207

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6093424C
..\..\third_party\libc++\src\include\string_view, xrefs: 6093425B
__s != nullptr, xrefs: 60934251
%s:%d: assertion %s failed: %s, xrefs: 60934260

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: 6010b4494144064a82bd706ccf5e7dddda2f11dd4e33d6559a73af953df4805d
Instruction ID: 3c8221c3aa838c5518f8e4c07695242f579bdaf00d61b96c15b69d3b63c26c15
Opcode Fuzzy Hash: 6010b4494144064a82bd706ccf5e7dddda2f11dd4e33d6559a73af953df4805d
Instruction Fuzzy Hash: 44818CB1E04629AFCB05CFA8D880A9EBBB6FF29314F054524E818B7301D731E955CF91

Function 6092B4D0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 185COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6092B4E9
_strlen.LIBCMT ref: 6092B51E
_strlen.LIBCMT ref: 6092B59B
_strlen.LIBCMT ref: 6092B688

Strings

:.}l, xrefs: 6092B5B0, 6092B6A0
, {, xrefs: 6092B567

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: , {$:.}l
API String ID: 4218353326-573750477
Opcode ID: 25d2d0d160bf4a1d83771bc42364d00d9dbcfde99dbf465deb19f19e8b0dbdfd
Instruction ID: 1caa19d455ae44c249c77e3d157cfcf919fe069741a1f017def57222d335430d
Opcode Fuzzy Hash: 25d2d0d160bf4a1d83771bc42364d00d9dbcfde99dbf465deb19f19e8b0dbdfd
Instruction Fuzzy Hash: 1451C4F1D102196BDB108B64AC46FAFBBFEEB74708F040429F846A3241E735E914CBA1

Function 609261F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 175fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 60926269
GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 609262A5
GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 609262EF
CreateFileW.KERNEL32 ref: 609263E1
__Init_thread_header.LIBCMT ref: 60926435

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

Part of subcall function 608DCFDD: EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
Part of subcall function 608DCFDD: LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
Part of subcall function 608DCFDD: WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D

Strings

debug.log, xrefs: 60926350, 609263A8

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalSection$File$CreateEnterLeave$ConditionCurrentDirectoryInit_thread_headerModuleNameVariableWake
String ID: debug.log
API String ID: 1936484898-600467936
Opcode ID: 704c20d66f511646ffcf39d992b032a5dfebfe402e9740f3b95e5d7be2ad2770
Instruction ID: 5a848d42bc9e686997dc038385004620dd683d258ba765fdcbffe0a999770bf9
Opcode Fuzzy Hash: 704c20d66f511646ffcf39d992b032a5dfebfe402e9740f3b95e5d7be2ad2770
Instruction Fuzzy Hash: FD5126719342008BDB20DF68AC4972A7FB3EFA6704F00492CE655AB7D5EB70E884D791

Function 6089AB00 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 608A17F0: TryAcquireSRWLockExclusive.KERNEL32(00000000,?,?,?,?,?,00000000,-00000001,?,?,6089AB87,00000065,00000000,?,00000000), ref: 608A181A
Part of subcall function 608A17F0: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,00000000,-00000001,?,?,6089AB87,00000065,00000000,?,00000000), ref: 608A18C8

GetFileAttributesW.KERNEL32(?,?,00000000,?,?,SystemTemp,0000000A,?,00000000), ref: 6089AC01
GetFileAttributesW.KERNEL32(?), ref: 6089AC98

Strings

..\..\base\files\file_util_win.cc, xrefs: 6089AB45, 6089ABD9, 6089AC6F
PathExists, xrefs: 6089ABDE, 6089AC74
SystemTemp, xrefs: 6089AB9A
GetSecureSystemTemp, xrefs: 6089AB4A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesExclusiveFileLock$AcquireRelease
String ID: ..\..\base\files\file_util_win.cc$GetSecureSystemTemp$PathExists$SystemTemp
API String ID: 1451187047-1102273717
Opcode ID: 853c4d2c700d1c5bc76415e354baaf560d3779691d37c4d2ef08d8bfbb797d4c
Instruction ID: 4c5e4dd827b36c5442c817a7518e88c30114e8e3ff1eb29dd466ad1a81057c35
Opcode Fuzzy Hash: 853c4d2c700d1c5bc76415e354baaf560d3779691d37c4d2ef08d8bfbb797d4c
Instruction Fuzzy Hash: E751F575E043505BD710EF288C82B6BB7E5EFE5748F004E1DF9CA67681EB70A9448782

Function 608802F0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 158COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60880642

Strings

Monday, xrefs: 60880368
rday, xrefs: 60880447
Sunday, xrefs: 60880338
Friday, xrefs: 60880422
Tuesday, xrefs: 60880396

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header
String ID: Friday$Monday$Sunday$Tuesday$rday
API String ID: 3738618077-4029317968
Opcode ID: 51f6b4ebd05d3c1a74e076662347e954c857625ef485c3be7cdfa1917e9518a8
Instruction ID: 46b949d6f51093a931e1d8289d65bf9cbca1caaf1cb8397965b25c052d6261ad
Opcode Fuzzy Hash: 51f6b4ebd05d3c1a74e076662347e954c857625ef485c3be7cdfa1917e9518a8
Instruction Fuzzy Hash: D981D77052D284CEEB52DB18D8487007FE3A723308F09499AD4866F3B5C7B5994CEF56

Function 608DF130 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 608DF167
___except_validate_context_record.LIBVCRUNTIME ref: 608DF16F
_ValidateLocalCookies.LIBCMT ref: 608DF1F8
__IsNonwritableInCurrentImage.LIBCMT ref: 608DF223
_ValidateLocalCookies.LIBCMT ref: 608DF278

Strings

csm, xrefs: 608DF20D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7243ab6d0f3548d58cfb192ad08ed061bc0da65c5710408ec7aac4c295ce1f48
Instruction ID: b3649bc4eae7fb942f4d5c76ef746d37883485f0146a5b34e7227e1e4bf28bca
Opcode Fuzzy Hash: 7243ab6d0f3548d58cfb192ad08ed061bc0da65c5710408ec7aac4c295ce1f48
Instruction Fuzzy Hash: CE416134940119EBCF01DF69C880A9E7FB5FF75318F148655E8246B392D7319A16DF90

Function 6089A1B0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 115COMMON

Download Yara Rule

APIs

GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,?,?,00000000,?,60899F35,6088B022,00000000,00000000,?,6088B022,CHROME_CRASHPAD_PIPE_NAME,00000019), ref: 6089A1E3
GetEnvironmentVariableW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,00000000), ref: 6089A242

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6089A2BA
..\..\third_party\libc++\src\include\string_view, xrefs: 6089A2C9
__s != nullptr, xrefs: 6089A2BF
%s:%d: assertion %s failed: %s, xrefs: 6089A2CE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: EnvironmentVariable
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 1431749950-3330642834
Opcode ID: c6b40ce2449a2d94a65955ecb5467d5f132bd6a18cf13153d8ef3d9aa169f626
Instruction ID: 40d4021a7c8f29581a77dc60bfcd6c02db752a13a428e867c3512d5cc7a1d708
Opcode Fuzzy Hash: c6b40ce2449a2d94a65955ecb5467d5f132bd6a18cf13153d8ef3d9aa169f626
Instruction Fuzzy Hash: E23108B1D002156FDB12DB68DC45BBF7B79DF66204F044929FC05A7282EB35D909C6E2

Function 608CD380 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 112COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608CD3A5
_strlen.LIBCMT ref: 608CD41D

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608CD465
..\..\third_party\libc++\src\include\string_view, xrefs: 608CD474
__s != nullptr, xrefs: 608CD46A
%s:%d: assertion %s failed: %s, xrefs: 608CD479

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: 066c4153d7a298353ad82f164e7cec66a555d88333203b4cef266f818c2b7293
Instruction ID: 34245320d1832cace5c9d6d8a4f709e3634bf2f335acb484992b6284ff3ab2c0
Opcode Fuzzy Hash: 066c4153d7a298353ad82f164e7cec66a555d88333203b4cef266f818c2b7293
Instruction Fuzzy Hash: 3231A071A402199BDB04EBB88C81AAF77B5EB64354F140828ED51E7341FA31EC15C6A7

Function 60888620 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 101libraryloaderCOMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60888658

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

GetModuleHandleW.KERNEL32(kernel32.dll,?,60986C48,?,6088828B,00000000,?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 6088866E
GetProcAddress.KERNEL32(00000000,IsWow64Process2), ref: 6088867A

Part of subcall function 608DCFDD: EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
Part of subcall function 608DCFDD: LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
Part of subcall function 608DCFDD: WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D

IsWow64Process.KERNEL32(6088828B,?,60986C48,?,6088828B,00000000,?,?,?,?,?,80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000001), ref: 60888737

Strings

IsWow64Process2, xrefs: 60888674
kernel32.dll, xrefs: 60888669

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalSection$EnterLeave$AddressConditionHandleInit_thread_headerModuleProcProcessVariableWakeWow64
String ID: IsWow64Process2$kernel32.dll
API String ID: 40102032-2577318745
Opcode ID: 5ef13074f3b5c4cdc5f2be78d49f12dda8b3e28729b65a648c46602c5854d3aa
Instruction ID: 892f41618fecf763d2f8679d04d8e6cd12cdfb2243e1547711b41a1409c8469e
Opcode Fuzzy Hash: 5ef13074f3b5c4cdc5f2be78d49f12dda8b3e28729b65a648c46602c5854d3aa
Instruction Fuzzy Hash: C231B071A10205CBEB14DF69CC5867A7BB6FF66310F10482AE956E7380EB749840CB61

Function 609301C0 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 60930010: TryAcquireSRWLockExclusive.KERNEL32(?,00000000,?,00000004), ref: 60930038
Part of subcall function 60930010: ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,00000004), ref: 60930063

_strlen.LIBCMT ref: 609301F3

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 6093023F
..\..\third_party\libc++\src\include\string_view, xrefs: 6093024E
__s != nullptr, xrefs: 60930244
type, xrefs: 6093029F
%s:%d: assertion %s failed: %s, xrefs: 60930253

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease_strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length$type
API String ID: 1083709183-563373429
Opcode ID: f9354ddef7b5cdf87dbbd7887c1b03510ef75fb1db2d6ef88c61651b4416da07
Instruction ID: 0066bca6fc242e741c20ab39ceb35c4712488f8905f251e6879d8927b1720fd7
Opcode Fuzzy Hash: f9354ddef7b5cdf87dbbd7887c1b03510ef75fb1db2d6ef88c61651b4416da07
Instruction Fuzzy Hash: E73147B1B002196BCB04DB69DC45AAFBBAAEFE5724F400529F95577380DB70AD04CBE1

Function 6089A450 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 92fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 6089A4BB
CreateFileW.KERNEL32(?,?,00000007,00000000,00000003,02000000,00000000,?,?,00000000), ref: 6089A4EE
GetLastError.KERNEL32(?,?,00000007,00000000,00000003,02000000,00000000,?,?,00000000), ref: 6089A4FA
SetLastError.KERNEL32(00000000,?,?,00000007,00000000,00000003,02000000,00000000,?,?,00000000), ref: 6089A50F

Strings

PathHasAccess, xrefs: 6089A49A
..\..\base\files\file_util_win.cc, xrefs: 6089A495

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFileLast$AttributesCreate
String ID: ..\..\base\files\file_util_win.cc$PathHasAccess
API String ID: 1299224125-128198036
Opcode ID: 30a076d521764f1b788849ca83139dd46bdd08a4b46bd1b72f1f7769c5d4836a
Instruction ID: 271a825017768036bcc6cab03f43905dcc8f740a0a641c7f3b19236a675c5767
Opcode Fuzzy Hash: 30a076d521764f1b788849ca83139dd46bdd08a4b46bd1b72f1f7769c5d4836a
Instruction Fuzzy Hash: 34214771A143146BD700DF78CC85A6F7BA5EFE5328F108A2DF899A7281EB70D94487C1

Function 608FA71E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE

Download Yara Rule

APIs

FreeLibrary.KERNEL32(00000000,?,6090E6DA,60920573,6090E6CA,6090E74A,608840C7), ref: 608FA7DF

Strings

ext-ms-, xrefs: 608FA789
api-ms-, xrefs: 608FA775

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FreeLibrary
String ID: api-ms-$ext-ms-
API String ID: 3664257935-537541572
Opcode ID: a39104cdecba9ecf993cda91cf0710e081c30b49e634b1690beb7c7996fb7b7e
Instruction ID: c9f5b64ff30978e198425dfbfea233ddf32751caa7b3f581c47f06f37a601ac1
Opcode Fuzzy Hash: a39104cdecba9ecf993cda91cf0710e081c30b49e634b1690beb7c7996fb7b7e
Instruction Fuzzy Hash: F82108B2518628ABD713E735CC40E5A3F7AEB627F0F100910E891B7291DB30ED02DAD0

Function 608924F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 70COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6089251F
_strlen.LIBCMT ref: 60892557

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 60892590
..\..\third_party\libc++\src\include\string_view, xrefs: 6089259F
__s != nullptr, xrefs: 60892595
%s:%d: assertion %s failed: %s, xrefs: 608925A4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: bffe017dcbfec2f214eba65b2c5372094319811d13f4050bc2ad310c03d7c83e
Instruction ID: 880beec5a1ded483e14b1cc8c284e7372365b4779357c8dc6dd0ed091534cf28
Opcode Fuzzy Hash: bffe017dcbfec2f214eba65b2c5372094319811d13f4050bc2ad310c03d7c83e
Instruction Fuzzy Hash: 2D113BB5A003056FCB00DF399895A6BBBE9EFA5258F454C3CE8859B241EB74DC08C7A1

Function 608F8EA0 Relevance: 9.3, APIs: 6, Instructions: 275COMMON

Download Yara Rule

APIs

_ValidateScopeTableHandlers.LIBCMT ref: 608F8FB4
__FindPESection.LIBCMT ref: 608F8FD1
VirtualQuery.KERNEL32(83000000,BBB4E41F,0000001C,BBB4E41F,?,?,?), ref: 608F90B6
__FindPESection.LIBCMT ref: 608F90F3
_ValidateScopeTableHandlers.LIBCMT ref: 608F9113
__FindPESection.LIBCMT ref: 608F912D

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FindSection$HandlersScopeTableValidate$QueryVirtual
String ID:
API String ID: 2529200597-0
Opcode ID: 9734325fe745e6c962e70a79149320218e31e415b69278a9c3da289fb5b4e043
Instruction ID: 5431f760eeadf9dd2859bea1e64fa0f74848928ad62b7e62ee3635c4aec6f3e6
Opcode Fuzzy Hash: 9734325fe745e6c962e70a79149320218e31e415b69278a9c3da289fb5b4e043
Instruction Fuzzy Hash: A6A1D072A0461D9FDF15CF79C841A9DBBF6EB96394F100929D8A8A7250DB32DC42CB90

Function 608D8040 Relevance: 9.2, APIs: 6, Instructions: 182COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D809A
ReleaseSRWLockExclusive.KERNEL32(?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D80B1
TryAcquireSRWLockExclusive.KERNEL32(?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D80B8
ReleaseSRWLockExclusive.KERNEL32(?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D80DE
TryAcquireSRWLockExclusive.KERNEL32(?,?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D8101
ReleaseSRWLockExclusive.KERNEL32(?,?,608D94F3,?,BBB4E41F,608AAEA5,?), ref: 608D8118

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID:
API String ID: 17069307-0
Opcode ID: ce3c11c35d66823c15e25b5464811ad4b56f36151a4280fcee42358824425b58
Instruction ID: 0dcc57fe595597634794adbbde00adc4869a4edd89fa90de7becaa9b9701587a
Opcode Fuzzy Hash: ce3c11c35d66823c15e25b5464811ad4b56f36151a4280fcee42358824425b58
Instruction Fuzzy Hash: 8951B132E00618CFCF11DF68C8816AEBBB2FBA5314F115A19E55577390D770AD0ACB91

Function 608C82D0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 109COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?), ref: 608C82E2
CloseHandle.KERNEL32(?), ref: 608C8312

Strings

__len == 0 || __s != nullptr, xrefs: 608C83BE
..\..\third_party\libc++\src\include\string_view, xrefs: 608C83D9
string_view::string_view(_CharT *, size_t): received nullptr, xrefs: 608C83B9
%s:%d: assertion %s failed: %s, xrefs: 608C83DE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CloseHandle
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__len == 0 || __s != nullptr$string_view::string_view(_CharT *, size_t): received nullptr
API String ID: 2962429428-1530698177
Opcode ID: 58cea423bcb865ced7982928d8156d823c94b82ada602707a7db163462d59d4c
Instruction ID: 0b38562fdcc5204208512bee4207669a96225559686c66674c608ce0a0bf2d89
Opcode Fuzzy Hash: 58cea423bcb865ced7982928d8156d823c94b82ada602707a7db163462d59d4c
Instruction Fuzzy Hash: ED31253578825ADBEB15CF25C840BA6B7B7EFA0B04F105C29E95567640E3B0EC40C792

Function 608B93D0 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,6090CA49,?,?,00000030,00000034,?,?,60874132), ref: 608B940A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 608B942C
__allrem.LIBCMT ref: 608B9440
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 608B9477
__Init_thread_header.LIBCMT ref: 608B9499
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,6090CA49,?,?,00000030,00000034,?,?,60874132), ref: 608B94BB

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: PerformanceQueryUnothrow_t@std@@@__ehfuncinfo$??2@$CounterFrequencyInit_thread_header__allrem
String ID:
API String ID: 3691769289-0
Opcode ID: eb27f4326f3c6217135e3c3eea43cbf430b38feac8635e40adb443c3668bcb55
Instruction ID: e39be65d04f77697cfd97989a9a98a1aad2a19df739a3351921b7e7355c9320e
Opcode Fuzzy Hash: eb27f4326f3c6217135e3c3eea43cbf430b38feac8635e40adb443c3668bcb55
Instruction Fuzzy Hash: 483160B55147009FC714CF29DD4596BBFE9EB9A364F10892EE89A93360D730AC04DBA1

Function 608B2E10 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 264COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 608B2EBC
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B2FA2
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 608B3002
ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B3020

Strings

first, xrefs: 608B312B, 608B314A, 608B3178

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: b40ba4a517279b88d406626a1e9c67a749ad975767c56dd9c5706c61ed09bde6
Instruction ID: aec0555c5213c2438bdc5c96d5f962a4d553026f8bdc723b8b516dc2019a693a
Opcode Fuzzy Hash: b40ba4a517279b88d406626a1e9c67a749ad975767c56dd9c5706c61ed09bde6
Instruction Fuzzy Hash: FB9131316046018BC716CF29C441B6ABBF2EFA9300F24C96CF9989B3A4DB75DC429B81

Function 6092ED90 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 191filetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 6092EFD0: GetFileAttributesW.KERNEL32(?), ref: 6092EFF4

CreateFileW.KERNEL32 ref: 6092EDEE
GetFileTime.KERNEL32(00000000,00000000,00000000,?), ref: 6092EE0D

Strings

CreateFile , xrefs: 6092EF49
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092EE90, 6092EF39
GetFileTime , xrefs: 6092EEA0

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: File$AttributesCreateTime
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$CreateFile $GetFileTime
API String ID: 1986686026-2226970932
Opcode ID: 00af6e7ec76fd178b88ae74a101ee501cf6dae42b417b1e3606d89c6ffe3f788
Instruction ID: f76c7c37e0efea0d51e70d837c56afa6cea2542c1b5b2808cabdfe58d5ff5e60
Opcode Fuzzy Hash: 00af6e7ec76fd178b88ae74a101ee501cf6dae42b417b1e3606d89c6ffe3f788
Instruction Fuzzy Hash: 8C5129725182506FD700DF64E881B6A7BABEFB5308F04452CF898A7295FB35E908D762

Function 6090D0C0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 151COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 6090D13E
IsWow64Process.KERNEL32(00000000,?), ref: 6090D146

Strings

ize, xrefs: 6090D198
, xrefs: 6090D1BE
mit, xrefs: 6090D1FE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Process$CurrentWow64
String ID: $ize$mit
API String ID: 1905925150-1017488866
Opcode ID: d38ff3087f7166eddd4af6191250b0df66c75a9d86401109fe0d7ab84a4e08ca
Instruction ID: d04a1ccde4e6713137e120fec5bb1960939033ee3712231b2b4695865e3311da
Opcode Fuzzy Hash: d38ff3087f7166eddd4af6191250b0df66c75a9d86401109fe0d7ab84a4e08ca
Instruction Fuzzy Hash: EF51F6B4801304AFD710DF29C888A9ABBF9EF65308F19C46DE409DB311D736D905CB92

Function 6090D0E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 139COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 6090D13E
IsWow64Process.KERNEL32(00000000,?), ref: 6090D146

Strings

ize, xrefs: 6090D198
, xrefs: 6090D1BE
mit, xrefs: 6090D1FE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Process$CurrentWow64
String ID: $ize$mit
API String ID: 1905925150-1017488866
Opcode ID: 5977cf2aef6dd8e46d707a96d564241e15eb15b83af63b719c9331a15e7d410c
Instruction ID: 0dccdca9179cd7ab050ff7f02cbff91a409e2411dddc5edb905bceeb1b3203d8
Opcode Fuzzy Hash: 5977cf2aef6dd8e46d707a96d564241e15eb15b83af63b719c9331a15e7d410c
Instruction Fuzzy Hash: AE51D3B48053049FE715DF29C888A9ABBF9EFA5308F19C46DE849CB311D736D905CB92

Function 60886770 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,?,0000005C,?,?,?,00000000), ref: 60886791

Strings

Failed to create directory %ls, last error is %d, xrefs: 6088681E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: Failed to create directory %ls, last error is %d
API String ID: 3188754299-3494238070
Opcode ID: bc1943636a5bc6ddf3f4b4fd3a667efef280554264623275989827ca84576ee6
Instruction ID: 862cd6caffd14f272e3c0278176721ea1fe5fb3bf095a961ea9e0ee8acf5fd71
Opcode Fuzzy Hash: bc1943636a5bc6ddf3f4b4fd3a667efef280554264623275989827ca84576ee6
Instruction Fuzzy Hash: BD31F370D242199FDB12CB78CC45BAE7FB5EF2A328F104A28E425B2281D735D955C7A0

Function 6090D100 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?), ref: 6090D13E
IsWow64Process.KERNEL32(00000000,?), ref: 6090D146

Strings

ize, xrefs: 6090D198
, xrefs: 6090D1BE
mit, xrefs: 6090D1FE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Process$CurrentWow64
String ID: $ize$mit
API String ID: 1905925150-1017488866
Opcode ID: 01aa154808592969c0e0bae278a16a9b1582ae3d72d5503444acb5fd7037c755
Instruction ID: 28378237ed8bf8b2e888922792b62a3925682056c51d6cef75a4d8eaa6b6229e
Opcode Fuzzy Hash: 01aa154808592969c0e0bae278a16a9b1582ae3d72d5503444acb5fd7037c755
Instruction Fuzzy Hash: C3418EB48003009FD705DF28C489A5ABBF9EF66308F29C46EE4098B321D732D906CF92

Function 608A2DB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 93COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608A2DD9

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 608A2E7A
..\..\third_party\libc++\src\include\string_view, xrefs: 608A2E89
__s != nullptr, xrefs: 608A2E7F
%s:%d: assertion %s failed: %s, xrefs: 608A2E8E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: eac8addd666e0a106c44df8dc11d2c0b04ebcd0a7e3df2b3ed2f4fdb75bff5c3
Instruction ID: 2dff8d5305c6d29a1d560952360b5ace98297c064911f928d2ebf1ad478193d8
Opcode Fuzzy Hash: eac8addd666e0a106c44df8dc11d2c0b04ebcd0a7e3df2b3ed2f4fdb75bff5c3
Instruction Fuzzy Hash: 7021D1B5A00304AFD710DF698C81E2B7BB6FFA9714B044828F65A97392DB71EC10CB91

Function 608C92A0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 92fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,?,File::Read,?,?,00000000), ref: 608C935D
GetLastError.KERNEL32 ref: 608C9398

Strings

Read, xrefs: 608C92E5
File::Read, xrefs: 608C93BA
..\..\base\files\file_win.cc, xrefs: 608C92E0

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: ..\..\base\files\file_win.cc$File::Read$Read
API String ID: 1948546556-3098515479
Opcode ID: 58a7edfff29c899a556d98c8eb084d300d6aab4be5dfcd92c5a499e1d6cd0095
Instruction ID: c3d8fe20c24f9b612658b9a08c00b2e6177d83e9683609ffe956b7b814454845
Opcode Fuzzy Hash: 58a7edfff29c899a556d98c8eb084d300d6aab4be5dfcd92c5a499e1d6cd0095
Instruction Fuzzy Hash: 8C31E471514342ABC300CF69C884B5EBBB5FFEA368F504A2DF9E456290D770D554CB92

Function 608C93D0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 84fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?,00000000,File::ReadAtCurrentPos,00000000,?,00000000), ref: 608C9465
GetLastError.KERNEL32 ref: 608C94A5

Strings

File::ReadAtCurrentPos, xrefs: 608C94C2
ReadAtCurrentPos, xrefs: 608C9415
..\..\base\files\file_win.cc, xrefs: 608C9410

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorFileLastRead
String ID: ..\..\base\files\file_win.cc$File::ReadAtCurrentPos$ReadAtCurrentPos
API String ID: 1948546556-1927398383
Opcode ID: d915f5a5ebb88afa16febf9258c66fff53dc84e17a4fee263bc8d8a8b5d1beff
Instruction ID: 2cfaab16478facb92597bde8a85b24fb90b0aed60cfdbf8b590bed3718915997
Opcode Fuzzy Hash: d915f5a5ebb88afa16febf9258c66fff53dc84e17a4fee263bc8d8a8b5d1beff
Instruction Fuzzy Hash: 4B210531514342ABC304CF69CC80B5ABBA5FFA6328F104A2DF9E457190DB70D548CB92

Function 60924FB0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 80COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 60924FEE

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 60925028
..\..\third_party\libc++\src\include\string_view, xrefs: 60925037
__s != nullptr, xrefs: 6092502D
%s:%d: assertion %s failed: %s, xrefs: 6092503C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: d1d7e31dbea1a0e085aef19fb014957a8be156844b068fda7175fddd7bc4a7db
Instruction ID: 4175d546de8969bba44111f891cb579c251111113db0e073b4f5e0fd8bd3a887
Opcode Fuzzy Hash: d1d7e31dbea1a0e085aef19fb014957a8be156844b068fda7175fddd7bc4a7db
Instruction Fuzzy Hash: EB115C72A0022817D7119A6DAC419EF7779DF61328F000929F959A7385E731EA15C7D2

Function 608EEAE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 74COMMON

Download Yara Rule

APIs

_wcsrchr.LIBVCRUNTIME ref: 608EEB22

Strings

.exe, xrefs: 608EEB2F
.com, xrefs: 608EEB62
.bat, xrefs: 608EEB51
.cmd, xrefs: 608EEB40

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _wcsrchr
String ID: .bat$.cmd$.com$.exe
API String ID: 1752292252-4019086052
Opcode ID: 5fc5014854e2035b1e85efc27726bbbeef0759bd4d3efbf83d0d8fa08ac49d84
Instruction ID: ad5ef1495d204bb1e611760377f276bda9ade10b3bff4800fbd1f88f14a19541
Opcode Fuzzy Hash: 5fc5014854e2035b1e85efc27726bbbeef0759bd4d3efbf83d0d8fa08ac49d84
Instruction Fuzzy Hash: 08012B37A04A39216208943EBC42B261798DFF3AF8B11062FFC59FB580FE54DC034294

Function 608763B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608763C0

Strings

string_view::find_last_of(): received nullptr, xrefs: 60876407
..\..\third_party\libc++\src\include\string_view, xrefs: 60876416
__s != nullptr, xrefs: 6087640C
%s:%d: assertion %s failed: %s, xrefs: 6087641B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$string_view::find_last_of(): received nullptr
API String ID: 4218353326-2623404029
Opcode ID: 21f29af59a410b38df0ff79af64c4f8082a929d84f9fc60d9ebbbf90226657c1
Instruction ID: a2de92e5d873951fc56e45c4b8e495b276f2872a91b6837db5cdba1f93a4603f
Opcode Fuzzy Hash: 21f29af59a410b38df0ff79af64c4f8082a929d84f9fc60d9ebbbf90226657c1
Instruction Fuzzy Hash: 80F028B630451A3BD710CA2ADC45E2B7B9EEFF06D87148535F928C7245DB71EC22C2A1

Function 60925240 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 46COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 60925258

Strings

null pointer passed to non-null argument of char_traits<...>::length, xrefs: 60925290
..\..\third_party\libc++\src\include\string_view, xrefs: 6092529F
__s != nullptr, xrefs: 60925295
%s:%d: assertion %s failed: %s, xrefs: 609252A4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string_view$__s != nullptr$null pointer passed to non-null argument of char_traits<...>::length
API String ID: 4218353326-3330642834
Opcode ID: 6ff6448c8c32abbcb404684cbc86effe35563f116a6577d446b03a708a7579e3
Instruction ID: a4875f225e5137e1594ccf313082c2da1ab172c843eef11b59d83eb24d4749ec
Opcode Fuzzy Hash: 6ff6448c8c32abbcb404684cbc86effe35563f116a6577d446b03a708a7579e3
Instruction Fuzzy Hash: F3F081B6615309EFD7008E45ED8188A376FEAB53A8B150421F9646724CD330FC10C6F1

Function 60883040 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 37COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6088304F

Strings

string::append received nullptr, xrefs: 60883066
__s != nullptr, xrefs: 6088306B
..\..\third_party\libc++\src\include\string, xrefs: 60883075
%s:%d: assertion %s failed: %s, xrefs: 6088307A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: %s:%d: assertion %s failed: %s$..\..\third_party\libc++\src\include\string$__s != nullptr$string::append received nullptr
API String ID: 4218353326-961869420
Opcode ID: 90fe4349a235b792b7dc4663ccdb891b3782d848e9fe948671a9fbb1d17bd97f
Instruction ID: 8c789d1b0be03e59c30cf2ea4a6159f7526d2f2431511fb7ac67639e6db3d19a
Opcode Fuzzy Hash: 90fe4349a235b792b7dc4663ccdb891b3782d848e9fe948671a9fbb1d17bd97f
Instruction Fuzzy Hash: BDE0C2E2B00618375410A50A9C46C3B2B2ED6F2DBDB040429F60526240EB71EC11C2F7

Function 608EEE50 Relevance: 7.6, APIs: 5, Instructions: 143pipeCOMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,608EEDEB), ref: 608EEE72
GetFileInformationByHandle.KERNEL32(?,?), ref: 608EEECC
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,608EEDEB,?,000000FF,00000000,?), ref: 608EEF5A
__dosmaperr.LIBCMT ref: 608EEF61
PeekNamedPipe.KERNEL32(?,00000000,00000000,00000000,?,00000000), ref: 608EEF9E

Part of subcall function 608EEB8E: __dosmaperr.LIBCMT ref: 608EEBC3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: File__dosmaperr$ErrorHandleInformationLastNamedPeekPipeType
String ID:
API String ID: 1206951868-0
Opcode ID: b096db3e0b0723958bdfac42503ab2acf50a20e414d136d371ddc48f93b30842
Instruction ID: c37e041de1746b71bbd27970f30b4bf987a1539e2f9527ca3d9e96912c2253fb
Opcode Fuzzy Hash: b096db3e0b0723958bdfac42503ab2acf50a20e414d136d371ddc48f93b30842
Instruction Fuzzy Hash: E7413C75900708AFDB25DFA6DC459ABBBF9EF9A300B104929F466D3650EB30A844CB10

Function 6087A9E0 Relevance: 7.6, APIs: 5, Instructions: 120COMMONLIBRARYCODE

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,00000010,?,?,?,?,00000000,?,?,6087A97C,00000000), ref: 6087AA46
__Init_thread_header.LIBCMT ref: 6087AA9D
GetCurrentProcess.KERNEL32(?,?,?,00000000,?,?,6087A97C,00000000,?,?,?,?,?,6098A000,00000080,00000000), ref: 6087AABB
IsWow64Process.KERNEL32(00000000,?,?,?,?,00000000,?,?,6087A97C,00000000,?,?,?,?,?,6098A000), ref: 6087AAC3
ReadProcessMemory.KERNEL32(?,?,?,00000014,?,?,?,?,00000000,?,?,6087A97C,00000000), ref: 6087AB0A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Process$MemoryRead$CurrentInit_thread_headerWow64
String ID:
API String ID: 361901566-0
Opcode ID: 62aca8bec3636a12ea1c883a7d2111a8a573df9e9f706f7e38282dfb02d4b067
Instruction ID: 587f7456ca83d47bcc273f0b134e884a77d77728ca58325a5d2585da5ef19e03
Opcode Fuzzy Hash: 62aca8bec3636a12ea1c883a7d2111a8a573df9e9f706f7e38282dfb02d4b067
Instruction Fuzzy Hash: CD41D870D143569BDB22CFA4D9849AEFFB1EF96320F548B19D5A1722C1E7309E48C760

Function 608AA100 Relevance: 7.6, APIs: 5, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

InitOnceExecuteOnce.KERNEL32(609871C8,Function_0004A0E0,?,00000000), ref: 608AA146
TlsGetValue.KERNEL32 ref: 608AA163
AcquireSRWLockExclusive.KERNEL32(609871D4), ref: 608AA175
ReleaseSRWLockExclusive.KERNEL32(609871D4), ref: 608AA1A5

Part of subcall function 608F08C6: IsProcessorFeaturePresent.KERNEL32(00000017,608E226B), ref: 608F08E2

TlsAlloc.KERNEL32 ref: 608AA233

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLockOnce$AcquireAllocExecuteFeatureInitPresentProcessorReleaseValue
String ID:
API String ID: 2915141342-0
Opcode ID: ffb6512b37c2fa9ee64cab197e53f7063f33310c3a3064c80df0f4aab8cbfcb5
Instruction ID: 10b1baabdc74a05a12041720cab3d9a18885cc7a5edb172e72df883f9a2f5b5c
Opcode Fuzzy Hash: ffb6512b37c2fa9ee64cab197e53f7063f33310c3a3064c80df0f4aab8cbfcb5
Instruction Fuzzy Hash: 7F319175A182049FDF04DFA5CC8966EBFB6FB57210B14082DEC16A3B60DB35E805DB91

Function 608BCD20 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 608BCD76
GetVersionExW.KERNEL32(?), ref: 608BCDAC
GetProductInfo.KERNEL32(?,?,00000000,00000000,?), ref: 608BCDC3
__Init_thread_header.LIBCMT ref: 608BCE1F

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

GetNativeSystemInfo.KERNEL32(60986C48), ref: 608BCE50

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalInfoInit_thread_headerSection$EnterLeaveNativeProductSystemVersion
String ID:
API String ID: 4213586224-0
Opcode ID: 7789a05ae67201f4119f2b4ebe99b32d45a273692209d990ccf014bfc1fde0aa
Instruction ID: 2ef9a6983965a135c445889cbedf276b1f522704762c8bdc8048108ba059eeba
Opcode Fuzzy Hash: 7789a05ae67201f4119f2b4ebe99b32d45a273692209d990ccf014bfc1fde0aa
Instruction Fuzzy Hash: 2F31F771924114DBDB10CB1ACC86A9A7F72FBA7314F000E29E6C56F391DB316894DB91

Function 608DCFDD Relevance: 7.5, APIs: 5, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(60976154,?,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFE7
LeaveCriticalSection.KERNEL32(60976154,?,6090E6B4,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DD01A
WakeAllConditionVariable.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD08D
SetEvent.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD097
ResetEvent.KERNEL32(?,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?,?,?,608C2085), ref: 608DD0A3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalEventSection$ConditionEnterLeaveResetVariableWake
String ID:
API String ID: 3916383385-0
Opcode ID: 26b2384f3590016fc1a661cb28c044b416e871716706a3d8c1a02a538537320c
Instruction ID: 9329b29b49254a8ca50d33724df49b963cadc7f6acbc02aaabb0f54aebf0f2cb
Opcode Fuzzy Hash: 26b2384f3590016fc1a661cb28c044b416e871716706a3d8c1a02a538537320c
Instruction Fuzzy Hash: 6601463252C624DBCB029F29EC1C9997FB6FB4B3117804029E801A7362DB306C41EB98

Function 609029FB Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 370COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 60902B75
__freea.LIBCMT ref: 60902B91

Strings

a/p, xrefs: 60902C57
am/pm, xrefs: 60902BF3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __freea
String ID: a/p$am/pm
API String ID: 240046367-3206640213
Opcode ID: d5443cf999845c3b26e156d7fe97ccd932d5d9334a55bc29367b747e427ee172
Instruction ID: dbb183855063959b05aa0704663e44976421e3bb00e72b71b2c6f17fae02cdf5
Opcode Fuzzy Hash: d5443cf999845c3b26e156d7fe97ccd932d5d9334a55bc29367b747e427ee172
Instruction Fuzzy Hash: 52C1F030944226DBDB15CF68C884BAA7BBBFF36304F20409DE816AB290D335DD81DB55

Function 60897370 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 150COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(00000004), ref: 60897393

Strings

..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc, xrefs: 608973EC, 608974B1
GetFileAttributes , xrefs: 608973FE, 608974C3
: not a directory, xrefs: 60897469

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc$: not a directory$GetFileAttributes
API String ID: 3188754299-1182343664
Opcode ID: dd5c798bacdfb9a0e237f3a880ce96571c9690cf6a98432b325f8d2f9482f364
Instruction ID: 9ab466b462ef6b52838a0d331cc44385b6cafce79dff21acafc3441d0e647dcc
Opcode Fuzzy Hash: dd5c798bacdfb9a0e237f3a880ce96571c9690cf6a98432b325f8d2f9482f364
Instruction Fuzzy Hash: 2841D8719002285AEB10EB58DC42FA97B7AEF3130CF0448A4F95967292E735DE48EB56

Function 608F89AD Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 125COMMONLIBRARYCODE

Download Yara Rule

APIs

EncodePointer.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,608F88B3,?,?,00000000,00000000,00000000,?), ref: 608F89D2
CatchIt.LIBVCRUNTIME ref: 608F8AB8

Strings

MOC, xrefs: 608F89E4
RCC, xrefs: 608F89EC

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CatchEncodePointer
String ID: MOC$RCC
API String ID: 1435073870-2084237596
Opcode ID: f4a950f714eba79b433d88f5dc3882b4fac4f90f6b86cc5ea47123e39b026159
Instruction ID: 981fdc5695d047f756d715592b6a88ce7e74b3c9557db95a420ed40ab93ab644
Opcode Fuzzy Hash: f4a950f714eba79b433d88f5dc3882b4fac4f90f6b86cc5ea47123e39b026159
Instruction Fuzzy Hash: D541667290021DEFCF02CFA9C881AAEBBB5FF18344F14889AF914A6251D3759952DF52

Function 6092F220 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 6092F244
DeleteFileW.KERNEL32(?), ref: 6092F266

Strings

DeleteFile , xrefs: 6092F2D9
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092F2C7

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: File$AttributesDelete
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$DeleteFile
API String ID: 2910425767-1915427265
Opcode ID: a419fdb62b81462f6194785bc7274c80ebcfeea02b7f1dbc5a71813ed1705abd
Instruction ID: 9895316c9c223b3524b6fcf23a601cf2d96133bfccc7afa9003531cf402a02fb
Opcode Fuzzy Hash: a419fdb62b81462f6194785bc7274c80ebcfeea02b7f1dbc5a71813ed1705abd
Instruction Fuzzy Hash: 9E318B719502289BEF11CB24EC61B9A7B7AEF3230CF0005B8F819A7285D734ED08CB91

Function 60897230 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(00000004,00000000), ref: 60897255
GetLastError.KERNEL32 ref: 6089725F

Strings

CreateDirectory , xrefs: 608972D7
..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc, xrefs: 608972C5

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: ..\..\third_party\crashpad\crashpad\client\crash_report_database_win.cc$CreateDirectory
API String ID: 1375471231-1677680670
Opcode ID: 92c8538cb913a2cb14019b0450977e266ee5a671b84b8c85ad13c0aee70ceb7a
Instruction ID: 6c3f4a7a1fcd7765e15d13e0beb3a3675c5c3a09878f795c102d21379df0758a
Opcode Fuzzy Hash: 92c8538cb913a2cb14019b0450977e266ee5a671b84b8c85ad13c0aee70ceb7a
Instruction Fuzzy Hash: 34313F31A142285BEB21DBACDC41FAE7779EF71308F4408A9FD49A7281DB359D08DB51

Function 608C94D0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 81fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,00000000,?,?,File::Write,?,00000000,00000000), ref: 608C9588

Strings

File::Write, xrefs: 608C95CD
Write, xrefs: 608C9515
..\..\base\files\file_win.cc, xrefs: 608C9510

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileWrite
String ID: ..\..\base\files\file_win.cc$File::Write$Write
API String ID: 3934441357-298953120
Opcode ID: 87a47b8bd92efd08205eb87973e49ba6388b8c221803ccaa387fd2409d730dbf
Instruction ID: 3b405c03d2fe178b3a548412f7470531bff4856866f90620fcadca6ae378b182
Opcode Fuzzy Hash: 87a47b8bd92efd08205eb87973e49ba6388b8c221803ccaa387fd2409d730dbf
Instruction Fuzzy Hash: 2931D1724143459BDB00CF29C880B5ABBA1FFEA368F104B1DF9E456295DB70D648CB93

Function 608A1260 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 74fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,File::WriteAtCurrentPos,00000000,?,00000000), ref: 608A12F8

Strings

File::WriteAtCurrentPos, xrefs: 608A133B
WriteAtCurrentPos, xrefs: 608A12A8
..\..\base\files\file_win.cc, xrefs: 608A12A3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FileWrite
String ID: ..\..\base\files\file_win.cc$File::WriteAtCurrentPos$WriteAtCurrentPos
API String ID: 3934441357-3665893826
Opcode ID: 1cfce810dbff72fbd3cd54b9f0ab4e5832dac7ea33b57227bdaeacc4a9390ec5
Instruction ID: df5bda31032ef931a7d074dc262a9af83d4da53e40177be26c05018532327ba9
Opcode Fuzzy Hash: 1cfce810dbff72fbd3cd54b9f0ab4e5832dac7ea33b57227bdaeacc4a9390ec5
Instruction Fuzzy Hash: 9021F4724143419BCB10DF19CC81B5ABBA5FFEA368F100B1DF8A46B294DB70A548CB92

Function 608764B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(bcryptprimitives.dll,60982850,?,?,60876465,?,00000008,00000002,FFE00000,?,?), ref: 608764C4
GetProcAddress.KERNEL32(00000000,ProcessPrng), ref: 608764D4

Strings

ProcessPrng, xrefs: 608764CE
bcryptprimitives.dll, xrefs: 608764BF

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives.dll
API String ID: 2574300362-2667675608
Opcode ID: 40aceeca61400f4623a741e98927b4b7b79f0bfa4cd0d8f563361587e123a113
Instruction ID: 5a25c548909fd0db36b9dbe15b121260d5fac5eae5d261a133cdcb06498937db
Opcode Fuzzy Hash: 40aceeca61400f4623a741e98927b4b7b79f0bfa4cd0d8f563361587e123a113
Instruction Fuzzy Hash: 7CF0A73171421A5B9F188F37CD18A6F7F6EDB962527008C68F915E7264EF30D801D6A0

Function 60906BF8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(608C2085,00000000,00000800,?,60906C94,00000000,608840C7,?,?,?,?,60906B52,00000002,FlsGetValue,6093E128,6093E130), ref: 60906C05
GetLastError.KERNEL32(?,60906C94,00000000,608840C7,?,?,?,?,60906B52,00000002,FlsGetValue,6093E128,6093E130,00000000,?,608F7D85), ref: 60906C0F
LoadLibraryExW.KERNEL32(608C2085,00000000,00000000,608AF85F,608C2085,?,608840C7,?,?,608C2085,?,00000000), ref: 60906C37

Strings

api-ms-, xrefs: 60906C1C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID: api-ms-
API String ID: 3177248105-2084034818
Opcode ID: 4901e245e6a585b3571d53e997833cd5834fdb7e9e7645e14865af2493a62a42
Instruction ID: 5173e0cbe8d5f7ee751f235583dfed6080c002f499eed709187b1f49631d3aa1
Opcode Fuzzy Hash: 4901e245e6a585b3571d53e997833cd5834fdb7e9e7645e14865af2493a62a42
Instruction Fuzzy Hash: A1E04831648318B7FF021B61DC17B1D3F5BEB21754F104424FADDB44A2DB61E990E944

Function 608AA340 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(bcryptprimitives,?,?,?,00000130), ref: 608AA348
GetProcAddress.KERNEL32(00000000,ProcessPrng), ref: 608AA358

Strings

bcryptprimitives, xrefs: 608AA343
ProcessPrng, xrefs: 608AA352

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: ProcessPrng$bcryptprimitives
API String ID: 2574300362-1205050517
Opcode ID: 97d8d36bc9b2660c72d4a7deabbfedb1fd68eba5ee173de560e5328384623dd8
Instruction ID: ea8be7a4ef373ba19ca6b6a98bb238e43011c336b597a645ac860bd441ce272a
Opcode Fuzzy Hash: 97d8d36bc9b2660c72d4a7deabbfedb1fd68eba5ee173de560e5328384623dd8
Instruction Fuzzy Hash: 08D0123021870E579F015B73DD1D917BE9EEB526453000894F825E5B51DF35D8109560

Function 6087ACB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 6087ACB8
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 6087ACC4

Strings

GetSystemTimePreciseAsFileTime, xrefs: 6087ACBE
kernel32.dll, xrefs: 6087ACB3

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetSystemTimePreciseAsFileTime$kernel32.dll
API String ID: 1646373207-706389432
Opcode ID: ada6bae483062962b616575a0a2493419b45f9d4c99d2b57da3be473f5a6abde
Instruction ID: 9118a480b6b846174e0eb401a4d75e9af673a0bafee0328b629bc671841577f0
Opcode Fuzzy Hash: ada6bae483062962b616575a0a2493419b45f9d4c99d2b57da3be473f5a6abde
Instruction Fuzzy Hash: 95D0127451C308AB8A16EBE7DD5890A3FAED7963143400411F486E6211DEB0E400A6A4

Function 60876380 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 10libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll), ref: 60876388
GetProcAddress.KERNEL32(00000000,RtlCaptureStackBackTrace), ref: 60876394

Strings

ntdll.dll, xrefs: 60876383
RtlCaptureStackBackTrace, xrefs: 6087638E

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: RtlCaptureStackBackTrace$ntdll.dll
API String ID: 1646373207-693287458
Opcode ID: 26eb8adeeef0d7bcd86fe769f2505727738f1a24a0629df0e2b43615698cb307
Instruction ID: d9e68e76531f54c4f4745171297ca9c4330a43b674c04fdd0a47a8eb35c73a3e
Opcode Fuzzy Hash: 26eb8adeeef0d7bcd86fe769f2505727738f1a24a0629df0e2b43615698cb307
Instruction Fuzzy Hash: 22C08C3682930C6BCA002BE3CD0CC28BE5EEB4A3043000841F085A1211CD30A0009610

Function 60876B90 Relevance: 6.3, APIs: 5, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eab171139cacae85d3f2ad602160d41c027ab781d94da0c016def627c75a1058
Instruction ID: 2385ebb33dd981f95755cca6df97f47252bbe6f4f01de16345adaa198bb9a1e5
Opcode Fuzzy Hash: eab171139cacae85d3f2ad602160d41c027ab781d94da0c016def627c75a1058
Instruction Fuzzy Hash: 5121F53290460A9FDF22DF68CC05A5E3F76EF66311F148C14F944AB158E731DD609BA1

Function 608AD4E0 Relevance: 6.2, APIs: 4, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 608CF200: CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,608AD517,00000001,00000001,?,00000000,?,?,608ABA6A), ref: 608CF21E
Part of subcall function 608CF200: GetLastError.KERNEL32(?,608AD517,00000001,00000001,?,00000000,?,?,608ABA6A), ref: 608CF22C
Part of subcall function 608CF200: SetLastError.KERNEL32(00000000,608ABA6A,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 608CF24C

TryAcquireSRWLockExclusive.KERNEL32(00000000,?,?,609371C1,?,?,?,?,?,?,?,?,?,?,?,?), ref: 608AD5DE
ReleaseSRWLockExclusive.KERNEL32(00000000,?,609371C1,?,?,?,?,?,?,?,?,?,?,?,?,000000DE), ref: 608AD696

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorExclusiveLastLock$AcquireCreateEventRelease
String ID:
API String ID: 629145919-0
Opcode ID: 004a54c004ee48465cd5cd7af112253dec450c9cde0059a4a5509cb877c8128d
Instruction ID: 7a9d6d29efa71c8228a2f8eb420d2f57ec121211253a30b49f816e7a11b91fe5
Opcode Fuzzy Hash: 004a54c004ee48465cd5cd7af112253dec450c9cde0059a4a5509cb877c8128d
Instruction Fuzzy Hash: 43819B75600B059BD714CF2AC890A66BBF6FBA9318B408D2DE95BCBE41D731F815CB90

Function 608CECB0 Relevance: 6.2, APIs: 4, Instructions: 222COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 608CED2E
_strlen.LIBCMT ref: 608CEDE0
_strlen.LIBCMT ref: 608CEE94

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: ae55c4e8ec6ff0de8bfbf8825c8c389a68c690ffb327cebf1a47ac7035dc38db
Instruction ID: 58f873d742ee202f985bbd7d6c559ef4807c351d7ee1432a664dbc5198b18673
Opcode Fuzzy Hash: ae55c4e8ec6ff0de8bfbf8825c8c389a68c690ffb327cebf1a47ac7035dc38db
Instruction Fuzzy Hash: E271D2B5A4425A8BDB05CF6CD8C2BAA7BB9FB26344F14082CE89697301F735DD058762

Function 60872430 Relevance: 6.2, APIs: 4, Instructions: 212synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(00000000,00001388), ref: 60872458
__Init_thread_header.LIBCMT ref: 60872519
__Init_thread_header.LIBCMT ref: 60872564

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

ReleaseMutex.KERNEL32 ref: 608725BF

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalInit_thread_headerSection$EnterLeaveMutexObjectReleaseSingleWait
String ID:
API String ID: 529578633-0
Opcode ID: 217311979055b07edf9fe084870e18547b212869fa537e6369abc14a79601626
Instruction ID: 8d3590fb30fb60ad92af9034afe1c2c18af681cd6ad80a47c31e44dcb70f782a
Opcode Fuzzy Hash: 217311979055b07edf9fe084870e18547b212869fa537e6369abc14a79601626
Instruction Fuzzy Hash: 4C81C1B1E042188FCB21CF28CC94A5EBBB2EF69314F18C566E809AB355E735ED41CB50

Function 608F82AF Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 608F8376
___AdjustPointer.LIBCMT ref: 608F8399
___AdjustPointer.LIBCMT ref: 608F8435

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 11d830a392687640fbe40cc0fcf21e3741796b22cab902a43fc79a35be42b31f
Instruction ID: d71f0f17a685f443e16a45e400885455765c17934f423037c10a4b00e032a078
Opcode Fuzzy Hash: 11d830a392687640fbe40cc0fcf21e3741796b22cab902a43fc79a35be42b31f
Instruction Fuzzy Hash: 5B51F37250560EEFEB15CF26C881B6A7BA5EF20B54F100D29E811973A0E7B1EC52CB50

Function 608D40D0 Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF,608AA230,?,?), ref: 608D40F9
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608D4209
ReleaseSRWLockExclusive.KERNEL32(?), ref: 608D4231
__Init_thread_header.LIBCMT ref: 608D42C6

Part of subcall function 608AD4A0: TlsSetValue.KERNEL32(FFFFFFFF,608D413B,?,608D413B,FFFFFFFF,?), ref: 608AD4A9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLockValue$AcquireInit_thread_headerRelease
String ID:
API String ID: 4057198150-0
Opcode ID: f15968924fa2cbd6338e8523f6e578cb6a99fc749ff8b3e550d3a27ebb6bc587
Instruction ID: ffbeade3014787f176d95df4b82c0c493a1a5a2f79693daacb3d46ec6583cd01
Opcode Fuzzy Hash: f15968924fa2cbd6338e8523f6e578cb6a99fc749ff8b3e550d3a27ebb6bc587
Instruction Fuzzy Hash: 78514A71A002088BEF14DFA8DC46BA93B66FBA6304F104E78E929973C1DB715D85DF91

Function 60924150 Relevance: 6.1, APIs: 4, Instructions: 146COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 60924180

Part of subcall function 608C38D0: AcquireSRWLockExclusive.KERNEL32(?,?,6088D907,?,?,?,?,?,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type), ref: 608C38D4

ReleaseSRWLockExclusive.KERNEL32(?), ref: 609241FD
TryAcquireSRWLockExclusive.KERNEL32(?), ref: 60924266
ReleaseSRWLockExclusive.KERNEL32(?), ref: 609242ED

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID:
API String ID: 1678258262-0
Opcode ID: 38ca6fde4dfd12b7b4e25be80d486509096d0830b05f7c22d1ff9c3a7fd248bc
Instruction ID: 5b0a15951d1ead45d0e44dd392ccb1ca7ee02b52db38916cfb2af04d3a0b8868
Opcode Fuzzy Hash: 38ca6fde4dfd12b7b4e25be80d486509096d0830b05f7c22d1ff9c3a7fd248bc
Instruction Fuzzy Hash: E6515CB0B107058FDB15CF69E890A6BBBFAFF69204B10092CE45697756DB30E909CF61

Function 6090CAA0 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6090E1E0: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 6090E243

__aullrem.LIBCMT ref: 6090CB01
__aulldiv.LIBCMT ref: 6090CB13
__allrem.LIBCMT ref: 6090CB45
__aulldiv.LIBCMT ref: 6090CB64

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __aulldiv$Unothrow_t@std@@@__allrem__aullrem__ehfuncinfo$??2@
String ID:
API String ID: 4222531432-0
Opcode ID: 79f7e5f096c2456f592ded2a977cc5f19a1e0f69339538c86670461a1810d685
Instruction ID: a44422e7b0169a90bf730d7c9ae0d43668711dc8a1fb47f7e13fbd14e3d68abe
Opcode Fuzzy Hash: 79f7e5f096c2456f592ded2a977cc5f19a1e0f69339538c86670461a1810d685
Instruction Fuzzy Hash: 6E21C3B2B003116BD714DF298C81A6BBBDEDB95654F01892DF94AD7280DA30B90587E1

Function 60872E60 Relevance: 6.1, APIs: 4, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 60872EB4
VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003), ref: 60872EC2
VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003), ref: 60872EC9
VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 60872EEC

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion
String ID:
API String ID: 2793162063-0
Opcode ID: 3aaa3986b0e701b1112bf64052deaeb76c7f3a11c1a5fe6c0fb12590ebdde2f7
Instruction ID: 69aa9143fec5fa0b7a94f1397a49ad68901ecd7c8791a54a2317a6163609593b
Opcode Fuzzy Hash: 3aaa3986b0e701b1112bf64052deaeb76c7f3a11c1a5fe6c0fb12590ebdde2f7
Instruction Fuzzy Hash: 332149306102041AFB34E7799C0ABBF7BA9DF76348F008C2DF945971C6EF689C548662

Function 608BE010 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(00000000), ref: 608BE03F
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 608BE07C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 608BE0B2
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 608BE116

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$CounterPerformanceQuery
String ID:
API String ID: 374826692-0
Opcode ID: fc6771087c1cec4dd60a50b0a637e251b56356c36ed31670bc9a38ff38afb077
Instruction ID: ae714ad1aae028f951fe129b6bae5d96faeb947d79429d84f4b73dc5c2cb0d70
Opcode Fuzzy Hash: fc6771087c1cec4dd60a50b0a637e251b56356c36ed31670bc9a38ff38afb077
Instruction Fuzzy Hash: 6A313CB16183019FC708DF59D885A2BFFE9EBD9314F00892EF589873A1D774E8449B52

Function 608AA980 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

TlsGetValue.KERNEL32(FFFFFFFF,60987120,?,?,?,608AAC3C,6093197C,6089D54A,?,6093197C,60931BB0,6089D1E4), ref: 608AA997
TryAcquireSRWLockExclusive.KERNEL32(?,60931BB0,6089D1E4,?,?,?,?,?,?,?,?,?,6089D1E4,?,?), ref: 608AA9CD
ReleaseSRWLockExclusive.KERNEL32(?,?,?,?,?,?,?,?,?,?,6089D1E4,?,?), ref: 608AAA2C
__Init_thread_header.LIBCMT ref: 608AAA50

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireInit_thread_headerReleaseValue
String ID:
API String ID: 1978092767-0
Opcode ID: ebed7778b6debeb934cff97cbb4f754954d3eace63f8e8684e816513ffbe528d
Instruction ID: fbb314c6e33e1def34a3a1606f4b68758022f0f6f4e303e7ed617ad3922aa5b3
Opcode Fuzzy Hash: ebed7778b6debeb934cff97cbb4f754954d3eace63f8e8684e816513ffbe528d
Instruction Fuzzy Hash: DB2122726185018FDB05CF28C984A267FE3EBA3318F108D2AE52597BA1D771AC43EB11

Function 608F2C94 Relevance: 6.1, APIs: 4, Instructions: 82COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 609005AA: WideCharToMultiByte.KERNEL32(?,00000000,044F8D04,8FE85150,83FFFD0A,06C708C4,609450E0,4E89084E,-00000008,-00000008,00000000,6090E44E,608F9AAB,CE8956E5,00000000,-00000008), ref: 6090060B

GetLastError.KERNEL32(?,?,?,00000000,00000000,?,608FF57A,?,?,?,00000000), ref: 608F2CF8
__dosmaperr.LIBCMT ref: 608F2CFF
GetLastError.KERNEL32(00000000,608FF57A,?,00000001,00000000,?,?,?,00000000,00000000,?,608FF57A,?,?,?,00000000), ref: 608F2D39
__dosmaperr.LIBCMT ref: 608F2D40

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ErrorLast__dosmaperr$ByteCharMultiWide
String ID:
API String ID: 1913693674-0
Opcode ID: f5fa733fbbb9e5fb9d422006f3b2d7456bd41b2e28e793c0a366bf7ac6057d6e
Instruction ID: 1b78dc4534eded2c45d44d57ccf2b7dc1b7e082a3f014d0cfb8a10908af29370
Opcode Fuzzy Hash: f5fa733fbbb9e5fb9d422006f3b2d7456bd41b2e28e793c0a366bf7ac6057d6e
Instruction Fuzzy Hash: 8021D73160424DAF9711EF7ECC4194BB7A9FF653A8B108D18F82597250E738EC428B90

Function 608F1429 Relevance: 6.1, APIs: 4, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f478464ab650ecac90ca47e2c53ce0984592fbf1b299bf899ca3a95cd665ec2
Instruction ID: fb611f5d28b9f09e3ae8cc39ee552d783cab8ac78b12e3a3164b1cb2f843d14e
Opcode Fuzzy Hash: 3f478464ab650ecac90ca47e2c53ce0984592fbf1b299bf899ca3a95cd665ec2
Instruction Fuzzy Hash: 132192B160420DAF9F11DFBACC4095A776BEFB23E8B108D14F86597550EB30DC428B54

Function 608A65D0 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(60987160,?,?,?,608A33A7,?,null pointer given to construct_at,?,?,?,00000000), ref: 608A6628
ReleaseSRWLockExclusive.KERNEL32(60987160,?,608A33A7,608A33A7,?,?,?,608A33A7,?,null pointer given to construct_at,?,?,?,00000000), ref: 608A6658
__Init_thread_header.LIBCMT ref: 608A6676

Part of subcall function 608DCF67: EnterCriticalSection.KERNEL32(60976154,?,?,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D), ref: 608DCF72
Part of subcall function 608DCF67: LeaveCriticalSection.KERNEL32(60976154,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?,?,608AF89D,?), ref: 608DCFAF

__Init_thread_header.LIBCMT ref: 608A66A5

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalExclusiveInit_thread_headerLockSection$AcquireEnterLeaveRelease
String ID:
API String ID: 35131462-0
Opcode ID: ac0f627224d01b810ca34f16d83885f8a1f11633a0d930476e106370ef5d2392
Instruction ID: cba775a5fc361f40c62ee9d38d4644e8c1b9c83cc00a79fe3645e59a557be30b
Opcode Fuzzy Hash: ac0f627224d01b810ca34f16d83885f8a1f11633a0d930476e106370ef5d2392
Instruction Fuzzy Hash: 4F21BF71A082018BCB14CF6CC84DA5ABFB3FBB7714B000D69E815ABB91D730E915DB92

Function 609006A6 Relevance: 6.1, APIs: 4, Instructions: 74COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 609006AE

Part of subcall function 609005AA: WideCharToMultiByte.KERNEL32(?,00000000,044F8D04,8FE85150,83FFFD0A,06C708C4,609450E0,4E89084E,-00000008,-00000008,00000000,6090E44E,608F9AAB,CE8956E5,00000000,-00000008), ref: 6090060B

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 609006E6
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 60900706

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: EnvironmentStrings$Free$ByteCharMultiWide
String ID:
API String ID: 158306478-0
Opcode ID: 75213eb6615b411f2ff261dee43a3acaf717912158c0dc42c0911277c4c09f9e
Instruction ID: dde06bbb656c5b47fb765c20a64e2d6039f49cef58b563f8914685ce2f00470e
Opcode Fuzzy Hash: 75213eb6615b411f2ff261dee43a3acaf717912158c0dc42c0911277c4c09f9e
Instruction Fuzzy Hash: 7211C8B19095157F67125F768CDEC6F2E6FDFE62A8B100428F40691200EB78DD4195B1

Function 608F32A8 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,89FFFFFD,E08589C0,00000000,608F31E2,00000000,?,608F354C,608F31E2,?,?,?,60886EBC,?,00000001,00000000), ref: 608F32BE
GetLastError.KERNEL32(?,608F354C,608F31E2,?,?,?,60886EBC,?,00000001,00000000,00000000,?,608F31E2,?,60886EBC,?), ref: 608F32C8
__dosmaperr.LIBCMT ref: 608F32CF
GetFullPathNameW.KERNEL32(?,89FFFFFD,E08589C0,00000000,89FFFFFE,?,608F354C,608F31E2,?,?,?,60886EBC,?,00000001,00000000,00000000), ref: 608F32F9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 3c4542e75c17b7df7185d1f5b9d9ebe3a707c1af79f3b9030917caa983dd10ca
Instruction ID: 28698d1ab56e14786b3c593e240cab251bded21d49ce2fa205ca8b0a6d5d4cc3
Opcode Fuzzy Hash: 3c4542e75c17b7df7185d1f5b9d9ebe3a707c1af79f3b9030917caa983dd10ca
Instruction Fuzzy Hash: 53F08C76200305AFDB21DBB6DC04A4BBFAAEF553A47108C29F59AD6220EF31EC119B51

Function 608F330E Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,89FFFFFD,E08589C0,00000000,608F31E2,00000000,?,608F34DA,608F31E2,608F31E2,?,?,?,60886EBC,?,00000001), ref: 608F3324
GetLastError.KERNEL32(?,608F34DA,608F31E2,608F31E2,?,?,?,60886EBC,?,00000001,00000000,00000000,?,608F31E2,?,60886EBC), ref: 608F332E
__dosmaperr.LIBCMT ref: 608F3335
GetFullPathNameW.KERNEL32(?,89FFFFFD,E08589C0,00000000,89FFFFFE,?,608F34DA,608F31E2,608F31E2,?,?,?,60886EBC,?,00000001,00000000), ref: 608F335F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: FullNamePath$ErrorLast__dosmaperr
String ID:
API String ID: 1391015842-0
Opcode ID: 127e6193e01dbe5bae19192e305d2bb9abb1b8aded0eb52cfd74968cc6e83e4a
Instruction ID: 087d7ea0a14ebb9735ddcf7bbed595e47b4503c1c1b809408a5b77c11512f704
Opcode Fuzzy Hash: 127e6193e01dbe5bae19192e305d2bb9abb1b8aded0eb52cfd74968cc6e83e4a
Instruction Fuzzy Hash: 70F06936200305AFDA21DB7AD804E4BBFAAEB557A0B108829F559C6220EF31EC119B51

Function 6089C240 Relevance: 6.0, APIs: 1, Strings: 3, Instructions: 39COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 6089C257

Strings

..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc, xrefs: 6089C277
Free, xrefs: 6089C27C
CloseHandle, xrefs: 6089C299

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CloseHandle
String ID: ..\..\third_party\crashpad\crashpad\util\win\scoped_handle.cc$CloseHandle$Free
API String ID: 2962429428-1704384866
Opcode ID: 81540cfce0ac0b93097a4eb830791eff85881e3bd2dd373772445b5b0a2c0358
Instruction ID: 6ccf764c5c7dae1ed87ec0f0832da5eea5c0547a6c48395081516fe3e6536d92
Opcode Fuzzy Hash: 81540cfce0ac0b93097a4eb830791eff85881e3bd2dd373772445b5b0a2c0358
Instruction Fuzzy Hash: 2EF0F631A50118678E14ABAA9C168AE7B2BEFF6618B40041DF8093B243DB31A51486E2

Function 609088AA Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(14C483FF,835500EB,C58314EC,00000000,CC680000,6090E53A,60903085,6090E542,00000001,6090E536,8D609450,6090E556,608F3D36,8D609450,00000000,00000000), ref: 609088C1
GetLastError.KERNEL32(?,C483FFFD), ref: 609088CD

Part of subcall function 60908920: CloseHandle.KERNEL32(FFFFFFFE,609088DD,?,C483FFFD), ref: 60908930

___initconout.LIBCMT ref: 609088DD

Part of subcall function 609088FF: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,6090889B,60903072,8D609450,6090E556,608F3D36,8D609450,00000000,00000000,8D609450), ref: 60908912

WriteConsoleW.KERNEL32(14C483FF,835500EB,C58314EC,00000000,?,C483FFFD), ref: 609088F2

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 109158d9fc02154b021478a774be1caf2c83090072bcd1d070f5abe0699c0cf6
Instruction ID: 8a31703f62bcbf19e75dc65504945fc55f8a13d5c7cce9e9eb64eeeac8570d15
Opcode Fuzzy Hash: 109158d9fc02154b021478a774be1caf2c83090072bcd1d070f5abe0699c0cf6
Instruction Fuzzy Hash: 11F0F836514229BBCF171F96CC08A9A3F37FB193B0B408015FE5AA5131CB72C860AB94

Function 608DD027 Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SleepConditionVariableCS.KERNELBASE(?,608DCF8C,00000064), ref: 608DD04A
LeaveCriticalSection.KERNEL32(60976154,?,?,608DCF8C,00000064,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?), ref: 608DD054
WaitForSingleObjectEx.KERNEL32(?,00000000,?,608DCF8C,00000064,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?), ref: 608DD065
EnterCriticalSection.KERNEL32(60976154,?,608DCF8C,00000064,?,6090E691,60985234,?,6090E72A,?,?,6087B0B9,ios_base::clear,?,?), ref: 608DD06C

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
String ID:
API String ID: 3269011525-0
Opcode ID: c4a86723628a691382f8069e356a6b9fb8ecb61f00b4684938e06242e27f2f10
Instruction ID: 3fd6e70f1a404aadc341a365414c7c9c8bb72bf2dfbf257435fd80ae09a0c253
Opcode Fuzzy Hash: c4a86723628a691382f8069e356a6b9fb8ecb61f00b4684938e06242e27f2f10
Instruction Fuzzy Hash: E4E0ED3752D628ABCE121B96CC1CA897F2BEB57765B504010F6057A2628A715940EBD0

Function 608BF5A0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 246COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 608BF742

Strings

..\..\base\trace_event\trace_log.cc, xrefs: 608BF8F4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header
String ID: ..\..\base\trace_event\trace_log.cc
API String ID: 3738618077-2592325830
Opcode ID: 978a5e6c218e0f6d4b4c312b5ae5448be39abb63f61738fd1b4028fdc1cfa912
Instruction ID: daf6f4f9ef6000540126e1932d67db1f8f3569d344ed01d49f8988ce19595ff1
Opcode Fuzzy Hash: 978a5e6c218e0f6d4b4c312b5ae5448be39abb63f61738fd1b4028fdc1cfa912
Instruction Fuzzy Hash: A291C5759483419FD710CF38C841B5A7BE2EFA6354F044E2DE8999B391EB30D949CB92

Function 60880E10 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_header.LIBCMT ref: 60881350

Strings

mber, xrefs: 60880FF9
ober, xrefs: 60880FA5

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: Init_thread_header
String ID: mber$ober
API String ID: 3738618077-4233749566
Opcode ID: 049dc2b68a9bfce932500fa1a7e552598eb2fb5aed768ae46ddecc0540245579
Instruction ID: 089613d412658312d8aca2747076e63ae13a12cd9f456e71720504b3e4087e32
Opcode Fuzzy Hash: 049dc2b68a9bfce932500fa1a7e552598eb2fb5aed768ae46ddecc0540245579
Instruction Fuzzy Hash: E3C109B052D281CEEF16CB18C9C87003FA7A723318F954E89D0566F7A5C7B6994CEB52

Function 608B2C10 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?), ref: 608B2C53
ReleaseSRWLockExclusive.KERNEL32(?,?,00000021,?,00004000,000000FF), ref: 608B2D4A

Strings

first, xrefs: 608B2DEE

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: b2c74b98472bfbebac11d57e636d6bacc7f46ed8c2ba848bc3dd0d6dca470be1
Instruction ID: 9f7c5bf272edd2ee7b27858139f935082fc0f1f7c9ce050e3a45d74a2db8bca5
Opcode Fuzzy Hash: b2c74b98472bfbebac11d57e636d6bacc7f46ed8c2ba848bc3dd0d6dca470be1
Instruction Fuzzy Hash: 815101316043058BC715CF28C88066ABBE2EFD9354F28896CF9958B399D774EC46CB81

Function 608B3350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B345B
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 608B34B3

Strings

first, xrefs: 608B34FF

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: f06f31b85af8a1b0a8e028b94193dd9ac0df143db8c73cad31b3b046cbde04ea
Instruction ID: 799c744e596fc681321b1848d335851ff43c8721d64d32c39f45701c3b9f144e
Opcode Fuzzy Hash: f06f31b85af8a1b0a8e028b94193dd9ac0df143db8c73cad31b3b046cbde04ea
Instruction Fuzzy Hash: D4511431A047518FC712CF29C444B6ABBE2EFA9704F148D7CE8A89B395D775AC45CB82

Function 608B31A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

APIs

ReleaseSRWLockExclusive.KERNEL32(?,00000001), ref: 608B328B
TryAcquireSRWLockExclusive.KERNEL32(?,?), ref: 608B32E3

Strings

first, xrefs: 608B332F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: first
API String ID: 17069307-2456940119
Opcode ID: f1a7635cac4092175a421b89a0d3caadb3d7ecce8d6146327a19d93302bcd9c8
Instruction ID: 6edab52c546e11c02bf51b0ef0ac342fb71b592d797ece0f53f936648716c673
Opcode Fuzzy Hash: f1a7635cac4092175a421b89a0d3caadb3d7ecce8d6146327a19d93302bcd9c8
Instruction Fuzzy Hash: 2B4112716047428BC301CF69C44176ABBE2FFE9305F24892DE8688B394D775DD46CB92

Function 6089E720 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 6089E7CB
_strlen.LIBCMT ref: 6089E802

Strings

Google.Chrome, xrefs: 6089E773

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: _strlen
String ID: Google.Chrome
API String ID: 4218353326-2537414952
Opcode ID: b2bbdfbd5fc3c7b87f44f5223caeb8aa7eee97461f9231da44101cbbc1a94fe5
Instruction ID: cb7f76b4266d79a36b70d2da7fd9a5df3e09b0e741a92e9745d8a6f4c3c11125
Opcode Fuzzy Hash: b2bbdfbd5fc3c7b87f44f5223caeb8aa7eee97461f9231da44101cbbc1a94fe5
Instruction Fuzzy Hash: C2414CB1D002199FCB04CFA8D881ADEBBF9FF59618F14456AE805AB341E731D946CBE1

Function 60896EE0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

__aullrem.LIBCMT ref: 60896F2A
__aulldiv.LIBCMT ref: 60896F40

Strings

-, xrefs: 60896FAD

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: __aulldiv__aullrem
String ID: -
API String ID: 3839614884-2547889144
Opcode ID: edd76ead30f523d040604d34bb5f5c76fe583f245ebe6082119c31761aa06711
Instruction ID: 735c71cafa6ab41ac1d2fda9901730d4104f984fe0cdbdeac611051ffbcb58b4
Opcode Fuzzy Hash: edd76ead30f523d040604d34bb5f5c76fe583f245ebe6082119c31761aa06711
Instruction Fuzzy Hash: 7A3107729102685FDB04DF7CD8407AEBBA9EFA9354F254A2AFC09D7381DB30590087D1

Function 608F8218 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

___except_validate_context_record.LIBVCRUNTIME ref: 608F848F

Strings

csm, xrefs: 608F84B1
csm, xrefs: 608F8522

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ___except_validate_context_record
String ID: csm$csm
API String ID: 3493665558-3733052814
Opcode ID: 9d93fb6f08bc2c5b939e313be525d955a8bce9de7ad3cb9867ea2e0a7bf90cfb
Instruction ID: 1c95b08544312236bb0bbb16bc7aed9b046e4dca1543d36a07374fcf2c716cc7
Opcode Fuzzy Hash: 9d93fb6f08bc2c5b939e313be525d955a8bce9de7ad3cb9867ea2e0a7bf90cfb
Instruction Fuzzy Hash: 5A31A37250021DEBCF12CF76C84099A7B66FB29395B28499AF86449210E3B2CC63DB91

Function 6092EFD0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 6092EFF4

Strings

GetFileAttributes , xrefs: 6092F061
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092F04F

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$GetFileAttributes
API String ID: 3188754299-537131185
Opcode ID: 607911bf917b47f39cb466f4a793e5d5758f384e03d75363358f763cfd8758dd
Instruction ID: 80775eb23adffe407c18b55c877a42861b7c8b3346374e314e6846b75b4bde1d
Opcode Fuzzy Hash: 607911bf917b47f39cb466f4a793e5d5758f384e03d75363358f763cfd8758dd
Instruction Fuzzy Hash: B1315C719902645BEB208B64EC51F5A7B6BEF3130CF0044A4F819A7287D735ED48CB51

Function 6092D410 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 93fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32 ref: 6092D44F

Strings

CreateFile , xrefs: 6092D4A6
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 6092D494

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CreateFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$CreateFile
API String ID: 823142352-2987130713
Opcode ID: 704b91e18684ec298045444f9ebb1e0c66db1efcb20a311d2526d53e54f7a521
Instruction ID: 5e2e598553a0aefee0f8a359b492e92137144cad08f2c21cc218ea84f298f137
Opcode Fuzzy Hash: 704b91e18684ec298045444f9ebb1e0c66db1efcb20a311d2526d53e54f7a521
Instruction Fuzzy Hash: 1B3127719152246BDB10DB24EC51F69BB7AEF75308F0045A9F84C673D5E730EA48CB92

Function 6092F100 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?), ref: 6092F124

Strings

GetFileAttributes , xrefs: 6092F182
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092F170

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$GetFileAttributes
API String ID: 3188754299-537131185
Opcode ID: a9671cc72407373102e7b9ef505ec3312885681c6d999a1f3bd02db6093912f4
Instruction ID: 6dbe4f9be981dd75f32831f1c5ce27da42af968ae1cfee682a5ebe73de79693d
Opcode Fuzzy Hash: a9671cc72407373102e7b9ef505ec3312885681c6d999a1f3bd02db6093912f4
Instruction Fuzzy Hash: 8E21F7719582289BEF10CB64EC92F9A7B3AEF2530CF4401B4F9089B196D734DE58CB61

Function 6092F370 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

RemoveDirectoryW.KERNEL32(?), ref: 6092F393

Strings

RemoveDirectory , xrefs: 6092F3EB
..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc, xrefs: 6092F3D9

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: DirectoryRemove
String ID: ..\..\third_party\crashpad\crashpad\util\file\filesystem_win.cc$RemoveDirectory
API String ID: 597925465-4050888278
Opcode ID: f72c1ff8d6b1184852f6a6f34c5bea863a5671bd0bc5320889ab9f068367e424
Instruction ID: 49a1b3b8d2abdb6160bfea521d18bdee12126d7b264227251072cbb7afdb3515
Opcode Fuzzy Hash: f72c1ff8d6b1184852f6a6f34c5bea863a5671bd0bc5320889ab9f068367e424
Instruction Fuzzy Hash: FA3138719502246BEB10DB20EC55F6A773BAF7130CF0041B9F808A7285EB35DE08CA61

Function 6089B080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,00000000), ref: 6089B108

Strings

..\..\base\files\file_util_win.cc, xrefs: 6089B0C8
GetCurrentDirectoryW, xrefs: 6089B0CD

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentDirectory
String ID: ..\..\base\files\file_util_win.cc$GetCurrentDirectoryW
API String ID: 1611563598-3514530069
Opcode ID: ab59cc6cc0c993075b10275d5deeeb7c1d590ff3c3c34fd2c4113868f51531b5
Instruction ID: 5ed014d492b9f46e4f798fadfad7bbe535ef616c4699800207ad02077e0bcc09
Opcode Fuzzy Hash: ab59cc6cc0c993075b10275d5deeeb7c1d590ff3c3c34fd2c4113868f51531b5
Instruction Fuzzy Hash: 9A210DB2A143445BD620EF788C86EAFB7A9EFE4354F000D3DF58757281EF70A5448696

Function 609246B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(?,00000000,000001D0), ref: 609246FA
ReleaseSRWLockExclusive.KERNEL32(?), ref: 6092474F

Part of subcall function 608C38D0: AcquireSRWLockExclusive.KERNEL32(?,?,6088D907,?,?,?,?,?,__len <= static_cast<size_type>(numeric_limits<difference_type>::max()),string_view::string_view(_CharT *, size_t): length does not fit in difference_type), ref: 608C38D4

Strings

tracing/main_trace_log, xrefs: 60924767

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$Acquire$Release
String ID: tracing/main_trace_log
API String ID: 1678258262-566173763
Opcode ID: cbbb2e85b525dcbf1ba2d378b69cba8615598eebc2fc73039fed52590eb7ac20
Instruction ID: 1108476acfebfcdb0d8a0e4a6e932e12d34968ab1a939274c463a5ed8cae8aa7
Opcode Fuzzy Hash: cbbb2e85b525dcbf1ba2d378b69cba8615598eebc2fc73039fed52590eb7ac20
Instruction Fuzzy Hash: 69219F357102189BCF159F64DC55BAE7B7BBFA6704F000058E91A2B385DF30AA05CF92

Function 608B0060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

TryAcquireSRWLockExclusive.KERNEL32(00000000,00000002,FFE00000,?,608B1D50,00000002,FFE00000,?,?), ref: 608B0070
ReleaseSRWLockExclusive.KERNEL32(00000000,?,608B1D50,00000002,FFE00000,?,?), ref: 608B00B5

Strings

bitset reset argument out of range, xrefs: 608B0100

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExclusiveLock$AcquireRelease
String ID: bitset reset argument out of range
API String ID: 17069307-1934458321
Opcode ID: e5f15feab1705fba1cea4ace9c3a29d09d53e2f7cb51e72a9e1d94e9d3ebb7ed
Instruction ID: 7c82c8875fd1fcc21c5ca3342a1de4429a016fc5b2d7be27aaa9d9acebec285b
Opcode Fuzzy Hash: e5f15feab1705fba1cea4ace9c3a29d09d53e2f7cb51e72a9e1d94e9d3ebb7ed
Instruction Fuzzy Hash: A501043321490857CA19EA288C517AE3A17EBF3325B214A18E522D37E0D770C883CA81

Function 608A0030 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

Part of subcall function 6089FF20: SetFilePointerEx.KERNEL32 ref: 6089FF96

SetEndOfFile.KERNEL32(608969DD), ref: 608A005B

Strings

SetEndOfFile, xrefs: 608A00B6
..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc, xrefs: 608A00A4

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: File$Pointer
String ID: ..\..\third_party\crashpad\crashpad\util\file\file_io_win.cc$SetEndOfFile
API String ID: 1339342385-359779137
Opcode ID: 4229a72fb1a11e0a44389e3cdec2b33ca0e0913ae5d4e5bbf9b749b33f6f1f7c
Instruction ID: 18f4f3b57ca3679a63856fc680e5a474b577e989fdda9e1294302b047daae318
Opcode Fuzzy Hash: 4229a72fb1a11e0a44389e3cdec2b33ca0e0913ae5d4e5bbf9b749b33f6f1f7c
Instruction Fuzzy Hash: 67012D61F502186AFA10D7746C52FAE7B6EDF3134CF004424FD0867681DF259D0889B2

Function 6089A560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(6089AEA7,?,00000000), ref: 6089A5C6

Strings

..\..\base\files\file_util_win.cc, xrefs: 6089A5A0
DirectoryExists, xrefs: 6089A5A5

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\base\files\file_util_win.cc$DirectoryExists
API String ID: 3188754299-3466678008
Opcode ID: 7bbbd0345343f3ab056dded9a12105c57e252c72d7473abc320ad2c80ffcc763
Instruction ID: 499a20cff08533e29fa840aa13971781295ef4e2342fb71684900bd075f7dc68
Opcode Fuzzy Hash: 7bbbd0345343f3ab056dded9a12105c57e252c72d7473abc320ad2c80ffcc763
Instruction Fuzzy Hash: 25114872B107405BD310DF388C8562ABBA5FFE9220F100F2EF986A3281FBB0A54487C1

Function 6088D2F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 55COMMON

Download Yara Rule

APIs

WerRegisterRuntimeExceptionModule.KERNEL32(?,6095CD54), ref: 6088D346

Strings

..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc, xrefs: 6088D389
not connected, xrefs: 6088D39B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: ExceptionModuleRegisterRuntime
String ID: ..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc$not connected
API String ID: 634786029-1396733316
Opcode ID: cc67569f3ddef2a6c643c1ea9d87785be25acbcf15b3f80f94ddb3a4c735e7fd
Instruction ID: b7a1d975e2afbe37bea1e1211229f1dff6adf1d8880da3cf2a1a2fce4effef90
Opcode Fuzzy Hash: cc67569f3ddef2a6c643c1ea9d87785be25acbcf15b3f80f94ddb3a4c735e7fd
Instruction Fuzzy Hash: 831127B06043045FCB21CB26AC02B593F76DB66718F404936B514AB3E1E734A548CB82

Function 6089A3C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,?,00000000), ref: 6089A426

Strings

..\..\base\files\file_util_win.cc, xrefs: 6089A400
PathExists, xrefs: 6089A405

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AttributesFile
String ID: ..\..\base\files\file_util_win.cc$PathExists
API String ID: 3188754299-2561805633
Opcode ID: 14491476514940f3604a690d0efe690bc11d56aa73e6eac88e12090651cfbf01
Instruction ID: 5c9b9b9136fafdc4c33a8ddd2f8484a78cb15cae39cc624d189e2a37c1bd1e46
Opcode Fuzzy Hash: 14491476514940f3604a690d0efe690bc11d56aa73e6eac88e12090651cfbf01
Instruction Fuzzy Hash: 8F012671A107415BD310DF388C4562ABBA4FFD9624F500B2EF9D6A3681FB70A58487C1

Function 60923470 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 44COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc,0000035F,00000002), ref: 6092349B

Strings

..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc, xrefs: 609234DB
not connected, xrefs: 609234ED

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: CurrentProcess
String ID: ..\..\third_party\crashpad\crashpad\client\crashpad_client_win.cc$not connected
API String ID: 2050909247-1396733316
Opcode ID: dc82a601ddf94bf3852b586c50837abbac71a91918865fe856c8a6804813e1dd
Instruction ID: 2c12b50dc6fc7ae7f3c6a5a5307739e79a7173130b1379acd04ec79edbb8e0b0
Opcode Fuzzy Hash: dc82a601ddf94bf3852b586c50837abbac71a91918865fe856c8a6804813e1dd
Instruction Fuzzy Hash: 4F012061A2031457CE11B779BC06B5C7B2A9F72714F808464F508662F1EB34A5084652

Function 608C8270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,608BFA8E,?,?,00000001,?,60894216,?,?,?,?,60894052,00000001,00000000), ref: 608C8284
GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 608C8290

Strings

GetHandleVerifier, xrefs: 608C828A

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: 9eb41f25c9ea9972b11ddd3b5e1ecfe4447d9fc32377dd4219ea38de92414c79
Instruction ID: b6f1f517423a1b5b6db6854311e56e587655a793460aa394e64fd0433dadf5e3
Opcode Fuzzy Hash: 9eb41f25c9ea9972b11ddd3b5e1ecfe4447d9fc32377dd4219ea38de92414c79
Instruction Fuzzy Hash: B3E0C0306E8604EBDE51A7A9CC5EB653E6BE722716F100C10B506E91E1EAA4D844E662

Function 6092C570 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,6089EB12), ref: 6092C575
GetProcAddress.KERNEL32(00000000,GetHandleVerifier), ref: 6092C581

Strings

GetHandleVerifier, xrefs: 6092C57B

Memory Dump Source

Source File: 00000009.00000002.3584705218.0000000060861000.00000020.00000001.01000000.00000010.sdmp, Offset: 60860000, based on PE: true

Associated: 00000009.00000002.3584682834.0000000060860000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589213213.0000000060939000.00000002.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589506841.000000006095A000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006095C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.000000006096C000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589575980.0000000060974000.00000008.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589728147.0000000060976000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589756930.0000000060982000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589800011.0000000060985000.00000004.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589852491.000000006098D000.00000020.00000001.01000000.00000010.sdmpDownload File
Associated: 00000009.00000002.3589877551.000000006098E000.00000002.00000001.01000000.00000010.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_60860000_GamePall.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetHandleVerifier
API String ID: 1646373207-1090674830
Opcode ID: d22af09c3b93e476c274d6a8463882fdbcabefebb61e123c728814f55f37c69b
Instruction ID: ae249458253e8b38694d295863157b515e3e3e707d2901043092962992f699c4
Opcode Fuzzy Hash: d22af09c3b93e476c274d6a8463882fdbcabefebb61e123c728814f55f37c69b
Instruction Fuzzy Hash: 45E086B12BC3046BEA0037BAAC1EF5A3D0FA725716F100C10B50AE90D5E991E440D161

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

DDoS

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZRZDXR93\huge[1].dat

C:\Users\user\AppData\Local\Temp\nsf909B.tmp\liteFirewall.dll

C:\Users\user\AppData\Local\Temp\nskF942.tmp\INetC.dll

C:\Users\user\AppData\Local\Temp\nskF942.tmp\blowfish.dll

C:\Users\user\AppData\Local\Temp\nskF942.tmp\nsProcess.dll

C:\Users\user\AppData\Local\Temp\setup.exe

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_0

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_1

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_2

C:\Users\user\AppData\Roaming\GamePall\DawnCache\data_3

C:\Users\user\AppData\Roaming\GamePall\DawnCache\index

C:\Users\user\AppData\Roaming\GamePall\Del.exe

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_0

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_1

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_2

C:\Users\user\AppData\Roaming\GamePall\GPUCache\data_3

C:\Users\user\AppData\Roaming\GamePall\GPUCache\index

C:\Users\user\AppData\Roaming\GamePall\GamePall.exe

C:\Users\user\AppData\Roaming\GamePall\Ionic.Zip.dll

Windows Analysis Report
SecuriteInfo.com.Win32.Trojan-Downloader.Generic.XVN7C1.21480.14818.exe